4 5.10.1. Creating a Schema
5 5.10.2. The Public Schema
6 5.10.3. The Schema Search Path
7 5.10.4. Schemas and Privileges
8 5.10.5. The System Catalog Schema
12 A PostgreSQL database cluster contains one or more named databases.
13 Roles and a few other object types are shared across the entire
14 cluster. A client connection to the server can only access data in a
15 single database, the one specified in the connection request.
19 Users of a cluster do not necessarily have the privilege to access
20 every database in the cluster. Sharing of role names means that there
21 cannot be different roles named, say, joe in two databases in the same
22 cluster; but the system can be configured to allow joe access to only
23 some of the databases.
25 A database contains one or more named schemas, which in turn contain
26 tables. Schemas also contain other kinds of named objects, including
27 data types, functions, and operators. Within one schema, two objects of
28 the same type cannot have the same name. Furthermore, tables,
29 sequences, indexes, views, materialized views, and foreign tables share
30 the same namespace, so that, for example, an index and a table must
31 have different names if they are in the same schema. The same object
32 name can be used in different schemas without conflict; for example,
33 both schema1 and myschema can contain tables named mytable. Unlike
34 databases, schemas are not rigidly separated: a user can access objects
35 in any of the schemas in the database they are connected to, if they
36 have privileges to do so.
38 There are several reasons why one might want to use schemas:
39 * To allow many users to use one database without interfering with
41 * To organize database objects into logical groups to make them more
43 * Third-party applications can be put into separate schemas so they
44 do not collide with the names of other objects.
46 Schemas are analogous to directories at the operating system level,
47 except that schemas cannot be nested.
49 5.10.1. Creating a Schema #
51 To create a schema, use the CREATE SCHEMA command. Give the schema a
52 name of your choice. For example:
53 CREATE SCHEMA myschema;
55 To create or access objects in a schema, write a qualified name
56 consisting of the schema name and table name separated by a dot:
59 This works anywhere a table name is expected, including the table
60 modification commands and the data access commands discussed in the
61 following chapters. (For brevity we will speak of tables only, but the
62 same ideas apply to other kinds of named objects, such as types and
65 Actually, the even more general syntax
68 can be used too, but at present this is just for pro forma compliance
69 with the SQL standard. If you write a database name, it must be the
70 same as the database you are connected to.
72 So to create a table in the new schema, use:
73 CREATE TABLE myschema.mytable (
77 To drop a schema if it's empty (all objects in it have been dropped),
81 To drop a schema including all contained objects, use:
82 DROP SCHEMA myschema CASCADE;
84 See Section 5.15 for a description of the general mechanism behind
87 Often you will want to create a schema owned by someone else (since
88 this is one of the ways to restrict the activities of your users to
89 well-defined namespaces). The syntax for that is:
90 CREATE SCHEMA schema_name AUTHORIZATION user_name;
92 You can even omit the schema name, in which case the schema name will
93 be the same as the user name. See Section 5.10.6 for how this can be
96 Schema names beginning with pg_ are reserved for system purposes and
97 cannot be created by users.
99 5.10.2. The Public Schema #
101 In the previous sections we created tables without specifying any
102 schema names. By default such tables (and other objects) are
103 automatically put into a schema named “public”. Every new database
104 contains such a schema. Thus, the following are equivalent:
105 CREATE TABLE products ( ... );
108 CREATE TABLE public.products ( ... );
110 5.10.3. The Schema Search Path #
112 Qualified names are tedious to write, and it's often best not to wire a
113 particular schema name into applications anyway. Therefore tables are
114 often referred to by unqualified names, which consist of just the table
115 name. The system determines which table is meant by following a search
116 path, which is a list of schemas to look in. The first matching table
117 in the search path is taken to be the one wanted. If there is no match
118 in the search path, an error is reported, even if matching table names
119 exist in other schemas in the database.
121 The ability to create like-named objects in different schemas
122 complicates writing a query that references precisely the same objects
123 every time. It also opens up the potential for users to change the
124 behavior of other users' queries, maliciously or accidentally. Due to
125 the prevalence of unqualified names in queries and their use in
126 PostgreSQL internals, adding a schema to search_path effectively trusts
127 all users having CREATE privilege on that schema. When you run an
128 ordinary query, a malicious user able to create objects in a schema of
129 your search path can take control and execute arbitrary SQL functions
130 as though you executed them.
132 The first schema named in the search path is called the current schema.
133 Aside from being the first schema searched, it is also the schema in
134 which new tables will be created if the CREATE TABLE command does not
135 specify a schema name.
137 To show the current search path, use the following command:
140 In the default setup this returns:
145 The first element specifies that a schema with the same name as the
146 current user is to be searched. If no such schema exists, the entry is
147 ignored. The second element refers to the public schema that we have
150 The first schema in the search path that exists is the default location
151 for creating new objects. That is the reason that by default objects
152 are created in the public schema. When objects are referenced in any
153 other context without schema qualification (table modification, data
154 modification, or query commands) the search path is traversed until a
155 matching object is found. Therefore, in the default configuration, any
156 unqualified access again can only refer to the public schema.
158 To put our new schema in the path, we use:
159 SET search_path TO myschema,public;
161 (We omit the $user here because we have no immediate need for it.) And
162 then we can access the table without schema qualification:
165 Also, since myschema is the first element in the path, new objects
166 would by default be created in it.
168 We could also have written:
169 SET search_path TO myschema;
171 Then we no longer have access to the public schema without explicit
172 qualification. There is nothing special about the public schema except
173 that it exists by default. It can be dropped, too.
175 See also Section 9.27 for other ways to manipulate the schema search
178 The search path works in the same way for data type names, function
179 names, and operator names as it does for table names. Data type and
180 function names can be qualified in exactly the same way as table names.
181 If you need to write a qualified operator name in an expression, there
182 is a special provision: you must write
183 OPERATOR(schema.operator)
185 This is needed to avoid syntactic ambiguity. An example is:
186 SELECT 3 OPERATOR(pg_catalog.+) 4;
188 In practice one usually relies on the search path for operators, so as
189 not to have to write anything so ugly as that.
191 5.10.4. Schemas and Privileges #
193 By default, users cannot access any objects in schemas they do not own.
194 To allow that, the owner of the schema must grant the USAGE privilege
195 on the schema. By default, everyone has that privilege on the schema
196 public. To allow users to make use of the objects in a schema,
197 additional privileges might need to be granted, as appropriate for the
200 A user can also be allowed to create objects in someone else's schema.
201 To allow that, the CREATE privilege on the schema needs to be granted.
202 In databases upgraded from PostgreSQL 14 or earlier, everyone has that
203 privilege on the schema public. Some usage patterns call for revoking
205 REVOKE CREATE ON SCHEMA public FROM PUBLIC;
207 (The first “public” is the schema, the second “public” means “every
208 user”. In the first sense it is an identifier, in the second sense it
209 is a key word, hence the different capitalization; recall the
210 guidelines from Section 4.1.1.)
212 5.10.5. The System Catalog Schema #
214 In addition to public and user-created schemas, each database contains
215 a pg_catalog schema, which contains the system tables and all the
216 built-in data types, functions, and operators. pg_catalog is always
217 effectively part of the search path. If it is not named explicitly in
218 the path then it is implicitly searched before searching the path's
219 schemas. This ensures that built-in names will always be findable.
220 However, you can explicitly place pg_catalog at the end of your search
221 path if you prefer to have user-defined names override built-in names.
223 Since system table names begin with pg_, it is best to avoid such names
224 to ensure that you won't suffer a conflict if some future version
225 defines a system table named the same as your table. (With the default
226 search path, an unqualified reference to your table name would then be
227 resolved as the system table instead.) System tables will continue to
228 follow the convention of having names beginning with pg_, so that they
229 will not conflict with unqualified user-table names so long as users
230 avoid the pg_ prefix.
232 5.10.6. Usage Patterns #
234 Schemas can be used to organize your data in many ways. A secure schema
235 usage pattern prevents untrusted users from changing the behavior of
236 other users' queries. When a database does not use a secure schema
237 usage pattern, users wishing to securely query that database would take
238 protective action at the beginning of each session. Specifically, they
239 would begin each session by setting search_path to the empty string or
240 otherwise removing schemas that are writable by non-superusers from
241 search_path. There are a few usage patterns easily supported by the
242 default configuration:
243 * Constrain ordinary users to user-private schemas. To implement this
244 pattern, first ensure that no schemas have public CREATE
245 privileges. Then, for every user needing to create non-temporary
246 objects, create a schema with the same name as that user, for
247 example CREATE SCHEMA alice AUTHORIZATION alice. (Recall that the
248 default search path starts with $user, which resolves to the user
249 name. Therefore, if each user has a separate schema, they access
250 their own schemas by default.) This pattern is a secure schema
251 usage pattern unless an untrusted user is the database owner or has
252 been granted ADMIN OPTION on a relevant role, in which case no
253 secure schema usage pattern exists.
254 In PostgreSQL 15 and later, the default configuration supports this
255 usage pattern. In prior versions, or when using a database that has
256 been upgraded from a prior version, you will need to remove the
257 public CREATE privilege from the public schema (issue REVOKE CREATE
258 ON SCHEMA public FROM PUBLIC). Then consider auditing the public
259 schema for objects named like objects in schema pg_catalog.
260 * Remove the public schema from the default search path, by modifying
261 postgresql.conf or by issuing ALTER ROLE ALL SET search_path =
262 "$user". Then, grant privileges to create in the public schema.
263 Only qualified names will choose public schema objects. While
264 qualified table references are fine, calls to functions in the
265 public schema will be unsafe or unreliable. If you create functions
266 or extensions in the public schema, use the first pattern instead.
267 Otherwise, like the first pattern, this is secure unless an
268 untrusted user is the database owner or has been granted ADMIN
269 OPTION on a relevant role.
270 * Keep the default search path, and grant privileges to create in the
271 public schema. All users access the public schema implicitly. This
272 simulates the situation where schemas are not available at all,
273 giving a smooth transition from the non-schema-aware world.
274 However, this is never a secure pattern. It is acceptable only when
275 the database has a single user or a few mutually-trusting users. In
276 databases upgraded from PostgreSQL 14 or earlier, this is the
279 For any pattern, to install shared applications (tables to be used by
280 everyone, additional functions provided by third parties, etc.), put
281 them into separate schemas. Remember to grant appropriate privileges to
282 allow the other users to access them. Users can then refer to these
283 additional objects by qualifying the names with a schema name, or they
284 can put the additional schemas into their search path, as they choose.
286 5.10.7. Portability #
288 In the SQL standard, the notion of objects in the same schema being
289 owned by different users does not exist. Moreover, some implementations
290 do not allow you to create schemas that have a different name than
291 their owner. In fact, the concepts of schema and user are nearly
292 equivalent in a database system that implements only the basic schema
293 support specified in the standard. Therefore, many users consider
294 qualified names to really consist of user_name.table_name. This is how
295 PostgreSQL will effectively behave if you create a per-user schema for
298 Also, there is no concept of a public schema in the SQL standard. For
299 maximum conformance to the standard, you should not use the public
302 Of course, some SQL database systems might not implement schemas at
303 all, or provide namespace support by allowing (possibly limited)
304 cross-database access. If you need to work with those systems, then
305 maximum portability would be achieved by not using schemas at all.
begriffs.com / projects / ai-pg / blob