1. 1 IT 244 Database Management System Lecture 11 More SQL Constraints &Triggers, SQL Authorization,Transactions Foreign Keys, Local and Global Constraints, Privileges, Grant and Revoke, Grant Diagrams Triggers, Serializability, Isolation Levels, Atomicity Ref : - A First Course in Database System (Jeffrey D Ullman, Jennifer Widom) + online.

2. 2 Constraints and Triggers A constraint is a relationship among data elements that the DBMS is required to enforce. –Example: key constraints. Triggers are only executed when a specified condition occurs, e.g., insertion of a tuple. –Easier to implement than many constraints.

3. 3 Kinds of Constraints Keys. Foreign-key, or referential-integrity. Value-based constraints. –Constrain values of a particular attribute. Tuple-based constraints. –Relationship among components. Assertions: any SQL boolean expression.

4. 4 Foreign Keys Consider Relation Sells(bar, beer, price). We might expect that a beer value is a real beer --- something appearing in Beers.name. A constraint that requires a beer in Sells to be a beer in Beers is called a foreign -key constraint.

5. 5 Expressing Foreign Keys Use the keyword REFERENCES, either: 1.Within the declaration of an attribute, when only one attribute is involved. 2.As an element of the schema, as: FOREIGN KEY ( ) REFERENCES ( ) Referenced attributes must be declared PRIMARY KEY or UNIQUE.

6. 6 Example: With Attribute CREATE TABLE Beers ( nameCHAR(20) PRIMARY KEY, manfCHAR(20) ); CREATE TABLE Sells ( barCHAR(20), beerCHAR(20) REFERENCES Beers(name), priceREAL );

7. 7 Example: As Element CREATE TABLE Beers ( nameCHAR(20) PRIMARY KEY, manfCHAR(20) ); CREATE TABLE Sells ( barCHAR(20), beerCHAR(20), priceREAL, FOREIGN KEY(beer) REFERENCES Beers(name));

8. 8 Enforcing Foreign-Key Constraints If there is a foreign-key constraint from attributes of relation R to the primary key of relation S, two violations are possible: 1.An insert or update to R introduces values not found in S. 2.A deletion or update to S causes some tuples of R to “dangle.”

9. 9 Actions Taken -- 1 Suppose R = Sells, S = Beers. An insert or update to Sells that introduces a nonexistent beer must be rejected. A deletion or update to Beers that removes a beer value found in some tuples of Sells can be handled in three ways.

10. 10 Actions Taken -- 2 The three possible ways to handle beers that suddenly cease to exist are: 1.Default : Reject the modification. 2.Cascade : Make the same changes in Sells. wDeleted beer: delete Sells tuple. wUpdated beer: change value in Sells. 3.Set NULL : Change the beer to NULL.

11. 11 Example: Cascade Suppose we delete the Royal tuple from Beers. –Then delete all tuples from Sells that have beer = ’Royal’. Suppose we update the Royal tuple by changing ’Royal’ to ’Budweiser’. –Then change all Sells tuples with beer = ’Royal’ so that beer = ’Budweiser’.

12. 12 Example: Set NULL Suppose we delete the Royal tuple from Beers. –Change all tuples of Sells that have beer = ’Royal’ to have beer = NULL. Suppose we update the Royal tuple by changing ’Royal’ to ’Budweiser’. –Same change.

13. 13 Choosing a Policy When we declare a foreign key, we may choose policies SET NULL or CASCADE independently for deletions and updates. Follow the foreign-key declaration by: ON [UPDATE, DELETE][SET NULL CASCADE] Two such clauses may be used. Otherwise, the default (reject) is used.

14. 14 Example CREATE TABLE Sells ( barCHAR(20), beerCHAR(20), priceREAL, FOREIGN KEY(beer) REFERENCES Beers(name) ON DELETE SET NULL ON UPDATE CASCADE );

15. 15 Attribute-Based Checks Put a constraint on the value of a particular attribute. CHECK( ) must be added to the declaration for the attribute. The condition may use the name of the attribute, but any other relation or attribute name must be in a subquery.

16. 16 Example CREATE TABLE Sells ( barCHAR(20), beerCHAR(20)CHECK ( beer IN (SELECT name FROM Beers)), priceREAL CHECK ( price <= 5.00 ) );

17. 17 Timing of Checks An attribute-based check is checked only when a value for that attribute is inserted or updated. –Example: CHECK (price <= 5.00) checks every new price and rejects it if it is more than $5. –Example: CHECK (beer IN (SELECT name FROM Beers)) not checked if a beer is deleted from Beers (unlike foreign-keys).

18. 18 Tuple-Based Checks CHECK ( ) may be added as another element of a schema definition. The condition may refer to any attribute of the relation, but any other attributes or relations require a subquery. Checked on insert or update only.

19. 19 Example: Tuple-Based Check Only BF’s Bar can sell beer for more than $5: CREATE TABLE Sells ( barCHAR(20), beerCHAR(20), priceREAL, CHECK (bar = ’BF’’s Bar’ OR price <= 5.00) );

20. 20 Assertions These are database-schema elements, like relations or views. Defined by: CREATE ASSERTION CHECK ( ); Condition may refer to any relation or attribute in the database schema.

21. 21 Example: Assertion In Sells(bar, beer, price), no bar may charge an average of more than $5. CREATE ASSERTION NoRipoffBars CHECK ( NOT EXISTS ( SELECT bar FROM Sells GROUP BY bar HAVING 5.00 < AVG(price) )); Bars with an average price above $5

22. 22 Example: Assertion In Drinkers(name, addr, phone) and Bars(name, addr, license), there cannot be more bars than drinkers. CREATE ASSERTION FewBar CHECK ( (SELECT COUNT(*) FROM Bars) <= (SELECT COUNT(*) FROM Drinkers) );

23. 23 Timing of Assertion Checks In principle, we must check every assertion after every modification to any relation of the database. A clever system can observe that only certain changes could cause a given assertion to be violated. –Example: No change to Beers can affect FewBar. Neither can an insertion to Drinkers.

24. 24 Triggers: Motivation Attribute- and tuple-based checks have limited capabilities. Assertions are sufficiently general for most constraint applications, but they are hard to implement efficiently. –The DBMS must have real intelligence to avoid checking assertions that couldn’t possibly have been violated.

25. 25 Triggers: Solution A trigger allows the user to specify when the check occurs. Like an assertion, a trigger has a general- purpose condition and also can perform any sequence of SQL database modifications.

26. 26 Event-Condition-Action Rules Another name for “trigger” is ECA rule, or event-condition-action rule. Event : typically a type of database modification, e.g., “insert on Sells.” Condition : Any SQL boolean-valued expression. Action : Any SQL statements.

27. 27 Example: A Trigger There are many details to learn about triggers. Here is an example to set the stage. Instead of using a foreign-key constraint and rejecting insertions into Sells(bar, beer, price) with unknown beers, a trigger can add that beer to Beers, with a NULL manufacturer.

28. 28 Example: Trigger Definition CREATE TRIGGER BeerTrig AFTER INSERT ON Sells REFERENCING NEW ROW AS NewTuple FOR EACH ROW WHEN (NewTuple.beer NOT IN (SELECT name FROM Beers)) INSERT INTO Beers(name) VALUES(NewTuple.beer); The event The condition The action

29. 29 Options: CREATE TRIGGER CREATE TRIGGER Option: CREATE OR REPLACE TRIGGER –Useful if there is a trigger with that name and you want to modify the trigger.

30. 30 Options: The Condition AFTER can be BEFORE. –Also, INSTEAD OF, if the relation is a view. A great way to execute view modifications: have triggers translate them to appropriate modifications on the base tables. INSERT can be DELETE or UPDATE. –And UPDATE can be UPDATE... ON a particular attribute.

31. 31 Options: FOR EACH ROW Triggers are either row-level or statement- level. FOR EACH ROW indicates row-level; its absence indicates statement-level. Row level triggers are executed once for each modified tuple. Statement-level triggers execute once for an SQL statement, regardless of how many tuples are modified.

32. 32 Options: REFERENCING INSERT statements imply a new tuple (for row-level) or new set of tuples (for statement-level). DELETE implies an old tuple or table. UPDATE implies both. Refer to these by [NEW OLD][TUPLE TABLE] AS

33. 33 Options: The Condition Any boolean-valued condition is appropriate. It is evaluated before or after the triggering event, depending on whether BEFORE or AFTER is used in the event. Access the new/old tuple or set of tuples through the names declared in the REFERENCING clause.

34. 34 Options: The Action There can be more than one SQL statement in the action. –Surround by BEGIN... END if there is more than one. But queries make no sense in an action, so we are really limited to modifications.

35. 35 Another Example Using Sells(bar, beer, price) and a unary relation RipoffBars(bar) created for the purpose, maintain a list of bars that raise the price of any beer by more than $1.

36. 36 The Trigger CREATE TRIGGER PriceTrig AFTER UPDATE OF price ON Sells REFERENCING OLD ROW as old NEW ROW as new FOR EACH ROW WHEN(new.price > old.price + 1.00) INSERT INTO RipoffBars VALUES(new.bar); The event – only changes to prices Updates let us talk about old and new tuples We need to consider each price change Condition: a raise in price > $1 When the price change is great enough, add the bar to RipoffBars

37. 37 Triggers on Views Generally, it is impossible to modify a view, because it doesn’t exist. But an INSTEAD OF trigger lets us interpret view modifications in a way that makes sense. Example: We’ll design a view Heilala that has (drinker, beer, bar) triples such that the bar serves the beer, the drinker frequents the bar and likes the beer.

38. 38 Example: The View CREATE VIEW Heilala AS SELECT Likes.drinker, Likes.beer, Sells.bar FROM Likes, Sells, Frequents WHERE Likes.drinker = Frequents.drinker AND Likes.beer = Sells.beer AND Sells.bar = Frequents.bar; Natural join of Likes, Sells, and Frequents Pick one copy of each attribute

39. 39 Interpreting a View Insertion We cannot insert into Heilala --- it is a view. But we can use an INSTEAD OF trigger to turn a (drinker, beer, bar) triple into three insertions of projected pairs, one for each of Likes, Sells, and Frequents. –The Sells.price will have to be NULL.

40. 40 The Trigger CREATE TRIGGER ViewTrig INSTEAD OF INSERT ON Heilala REFERENCING NEW ROW AS n FOR EACH ROW BEGIN INSERT INTO LIKES VALUES(n.drinker, n.beer); INSERT INTO SELLS(bar, beer) VALUES(n.bar, n.beer); INSERT INTO FREQUENTS VALUES(n.drinker, n.bar); END;

41. 41 Summary Constraints and Triggers Kinds of Constraints (Foreign Keys) Attribute-Based Checks Assertions Event-Condition-Action Rules Triggers Triggers on Views

42. 42 SQL Authorization Privileges, Grant and Revoke Grant Diagrams

43. 43 Authorization A file system identifies certain privileges on the objects (files) it manages. –Typically read, write, execute. A file system identifies certain participants to whom privileges may be granted. –Typically the owner, a group, all users.

44. 44 Privileges --- 1 SQL identifies a more detailed set of privileges on objects (relations) than the typical file system. Nine privileges in all, some of which can be restricted to one column of one relation.

45. 45 Privileges --- 2 Some important privileges on a relation: 1.SELECT = right to query the relation. 2.INSERT = right to insert tuples. wMay apply to only one attribute. 3.DELETE = right to delete tuples. 4.UPDATE = right to update tuples. wMay apply to only one attribute.

46. 46 Example: Privileges For the statement below: INSERT INTO Beers(name) SELECT beer FROM Sells WHERE NOT EXISTS (SELECT * FROM Beers WHERE name = beer); We require privileges SELECT on Sells and Beers, and INSERT on Beers or Beers.name. beers that do not appear in Beers. We add them to Beers with a NULL manufacturer.

47. 47 Authorization ID’s A user is referred to by authorization ID, typically their name. There is an authorization ID PUBLIC. –Granting a privilege to PUBLIC makes it available to any authorization ID.

48. 48 Granting Privileges You have all possible privileges on the objects, such as relations, that you create. You may grant privileges to other users (authorization ID’s), including PUBLIC. You may also grant privileges WITH GRANT OPTION, which lets the grantee also grant this privilege.

49. 49 The GRANT Statement To grant privileges, say: GRANT ON TO ; If you want the recipient(s) to be able to pass the privilege(s) to others add: WITH GRANT OPTION

50. 50 Example: GRANT Suppose you are the owner of Sells. You may say: GRANT SELECT, UPDATE(price) ON Sells TO sione; Now Sione has the right to issue any query on Sells and can update the price component only.

51. 51 Example: Grant Option Suppose we also grant: GRANT UPDATE ON Sells TO sione WITH GRANT OPTION; Now, Sione can not only update any attribute of Sells, but can grant to others the privilege UPDATE ON Sells. –Also, she can grant more specific privileges like UPDATE(price) ON Sells.

52. 52 Revoking Privileges REVOKE ON FROM ; Your grant of these privileges can no longer be used by these users to justify their use of the privilege. –But they may still have the privilege because they obtained it independently from elsewhere.

53. 53 REVOKE Options We must append to the REVOKE statement either: 1.CASCADE. Now, any grants made by a revokee are also not in force, no matter how far the privilege was passed. 2.RESTRICT. If the privilege has been passed to others, the REVOKE fails as a warning that something else must be done to “chase the privilege down.”

54. 54 Grant Diagrams Nodes = user/privilege/option/isOwner? –UPDATE ON R, UPDATE(a) on R, and UPDATE(b) ON R live in different nodes. –SELECT ON R and SELECT ON R WITH GRANT OPTION live in different nodes. Edge X ->Y means that node X was used to grant Y.

55. 55 Notation for Nodes Use AP for the node representing authorization ID A having privilege P. –P * represents privilege P with grant option. –P ** represents the source of the privilege P. That is, AP ** means A is the owner of the object on which P is a privilege. Note ** implies grant option.

56. 56 Manipulating Edges --- 1 When A grants P to B, We draw an edge from AP * or AP ** to BP. –Or to BP * if the grant is with grant option. If A grants a subprivilege Q of P (say UPDATE(a) on R when P is UPDATE ON R) then the edge goes to BQ or BQ *, instead.

57. 57 Manipulating Edges --- 2 Fundamental rule: user C has privilege Q as long as there is a path from XQ ** (the origin of privilege Q ) to CQ, CQ *, or CQ**. –Remember that XQ** could be CQ**.

58. 58 Manipulating Edges --- 3 If A revokes P from B with the CASCADE option, delete the edge from AP to BP. If A uses RESTRICT, and there is an edge from BP to anywhere, then reject the revocation and make no change to the graph.

59. 59 Manipulating Edges --- 4 Having revised the edges, we must check that each node has a path from some ** node, representing ownership. Any node with no such path represents a revoked privilege and is deleted from the diagram.

60. 60 Example: Grant Diagram AP** A owns the object on which P is a privilege BP* A: GRANT P TO B WITH GRANT OPTION CP* B: GRANT P TO C WITH GRANT OPTION CP A: GRANT P TO C

61. 61 Example: Grant Diagram AP**BP*CP* CP A executes REVOKE P FROM B CASCADE; However, C still has P without grant option because of the direct grant. Not only does B lose P*, but C loses P*. Delete BP* and CP*. Even had C passed P to B, both nodes are still cut off.

62. 62 Summary Authorization Privileges Authorization ID’s Granting Privileges The GRANT Statement and Grant Option Revoking Privileges and REVOKE Options Grant Diagrams Notation for Nodes Manipulating Edges

63. 63 Transactions Serializability, Isolation Levels Atomicity

64. 64 The Setting Database systems are normally being accessed by many users or processes at the same time. –Both queries and modifications. Unlike Operating Systems, which support interaction of processes, a DMBS needs to keep processes from troublesome interactions.

65. 65 Example: Bad Interaction You and your spouse each take $100 from different ATM’s at about the same time. –The DBMS better make sure one account deduction doesn’t get lost. Compare: An OS allows two people to edit a document at the same time. If both write, one’s changes get lost.

66. 66 ACID Transactions A DBMS is expected to support “ACID transactions,” which are: –Atomic : Either the whole process is done or none is. –Consistent : Database constraints are preserved. –Isolated : It appears to the user as if only one process executes at a time. –Durable : Effects of a process do not get lost if the system crashes.

67. 67 Transactions in SQL SQL supports transactions, often behind the scenes. –Each statement issued at the generic query interface is a transaction by itself. –In programming interfaces like Embedded SQL or PSM, a transaction begins the first time an SQL statement is executed and ends with the program or an explicit end.

68. 68 COMMIT The SQL statement COMMIT causes a transaction to complete. –It’s database modifications are now permanent in the database.

69. 69 ROLLBACK The SQL statement ROLLBACK also causes the transaction to end, but by aborting. –No effects on the database. Failures like division by 0 can also cause rollback, even if the programmer does not request it.

70. 70 An Example: Interacting Processes Assume the usual Sells(bar,beer,price) relation, and suppose that BF’s Bar sells only Royal for $2.50 and VB for $3.00. Sione is querying Sells for the highest and lowest price BF charges. BF decides to stop selling Royal and VB, but to sell only Ikale at $3.50.

71. 71 Sione’s Program Sione executes the following two SQL statements, which we call (min) and (max), to help remember what they do. (max)SELECT MAX(price) FROM Sells WHERE bar = ‘BF’’s Bar’; (min)SELECT MIN(price) FROM Sells WHERE bar = ‘BF’’s Bar’;

72. 72 BF’s Program At about the same time, BF executes the following steps, which have the mnemonic names (del) and (ins). (del)DELETE FROM Sells WHERE bar = ‘BF’’s Bar’; (ins)INSERT INTO Sells VALUES(‘BF’’s Bar’, ‘Ikale’, 3.50);

73. 73 Interleaving of Statements Although (max) must come before (min) and (del) must come before (ins), there are no other constraints on the order of these statements, unless we group Sione’s and/or BF’s statements into transactions.

74. 74 Example: Strange Interleaving Suppose the steps execute in the order (max)(del)(ins)(min). BF’s Prices: Statement: Result: Sione sees MAX < MIN! 2.50, 3.00 (del) (ins) 3.50 (min) 3.50 2.50, 3.00 (max) 3.00

75. 75 Fixing the Problem With Transactions If we group Sione’s statements (max)(min) into one transaction, then he cannot see this inconsistency. He see’s BF’s prices at some fixed time. –Either before or after he changes prices, or in the middle, but the MAX and MIN are computed from the same prices.

76. 76 Another Problem: Rollback Suppose BF executes (del)(ins), but after executing these statements, thinks better of it and issues a ROLLBACK statement. If Sione executes his transaction after (ins) but before the rollback, he sees a value, 3.50, that never existed in the database.

77. 77 Solution If BF executes (del)(ins) as a transaction, its effect cannot be seen by others until the transaction executes COMMIT. –If the transaction executes ROLLBACK instead, then its effects can never be seen.

78. 78 Isolation Levels SQL defines four isolation levels = choices about what interactions are allowed by transactions that execute at about the same time. How a DBMS implements these isolation levels is highly complex, and a typical DBMS provides its own options.

79. 79 Choosing the Isolation Level Within a transaction, we can say: SET TRANSACTION ISOLATION LEVEL X where X = 1.SERIALIZABLE 2.REPEATABLE READ 3.READ COMMITTED 4.READ UNCOMMITTED

80. 80 Serializable Transactions If Sione = (max)(min) and BF = (del)(ins) are each transactions, and Sione runs with isolation level SERIALIZABLE, then he will see the database either before or after BF runs, but not in the middle. It’s up to the DBMS vendor to figure out how to do that, e.g.: –True isolation in time. –Keep BF’s old prices around to answer Sione’s queries.

81. 81 Isolation Level Is Personal Choice Your choice, e.g., run serializable, affects only how you see the database, not how others see it. Example: If BF Runs serializable, but Sione doesn’t, then Sione might see no prices for BF’s Bar. –i.e., it looks to Sione as if he ran in the middle of BF’s transaction.

82. 82 Read-Commited Transactions If Sione runs with isolation level READ COMMITTED, then he can see only committed data, but not necessarily the same data each time. Example: Under READ COMMITTED, the interleaving (max)(del)(ins)(min) is allowed, as long as BF commits. –Sione sees MAX < MIN.

83. 83 Repeatable-Read Transactions Requirement is like read-committed, plus: if data is read again, then everything seen the first time will be seen the second time. –But the second and subsequent reads may see more tuples as well.

84. 84 Example: Repeatable Read Suppose Sione runs under REPEATABLE READ, and the order of execution is (max)(del)(ins)(min). –(max) sees prices 2.50 and 3.00. –(min) can see 3.50, but must also see 2.50 and 3.00, because they were seen on the earlier read by (max).

85. 85 Read Uncommitted A transaction running under READ UNCOMMITTED can see data in the database, even if it was written by a transaction that has not committed (and may never). Example: If Sione runs under READ UNCOMMITTED, she could see a price 3.50 even if BF later aborts.

86. 86 Summary The Setting ACID Transactions Transactions in SQL COMMIT ROLLBACK Isolation Levels Serializable Transactions Read-Commited Transactions Repeatable-Read Transactions