[Opensim-dev] secure_inventory_server ??

Michael Wright michaelwri22 at yahoo.co.uk
Fri Jul 25 12:11:02 UTC 2008 

Sorry one more follow on.

So taking into account my last couple of emails, I would like to request that we leave the option in the region server (opensim.ini) to turn off the secure inventory system, for the forseeable future. Just the tying one inventory server to one user server/ grid, seems to be the wrong way to be going. 

Michael Wright <michaelwri22 at yahoo.co.uk> wrote: a quick follow on, what I mean about it being too rigid, is that by having a set userserver set url in the inventory server. It makes it harder to use the same inventory server on multiple grids. Either for the same user (if their id on each grid was the same). Or just multiple grids/user groups sharing a common inventory server. 

I actually consider both of them features that we have/had and should keep. SO while on important bug (the lack of security) has been fixed, it has broke two other features. 

Michael Wright <michaelwri22 at yahoo.co.uk> wrote: Okay had a bit deeper look at the inventory changes, and see the changes aren't anywhere near as big as I was imagining. So guess I take back my suggestion of a option. 

I made the suggestion, because my thinking in something like while no interfaces are going to be anything  like stable until much nearer to 1.0, I do think if a really big change is made to a interface (specially on the interfaces to the grid servers). If it is possible to add a mode for backwards compatibility easily, then we should do so (even if only temporary). But as I said, after looking more closely at the changes, doesn't look like this is such a big change.

I'm a little concerned about the constant lookup to the user server. As I think really we should be trying to spearate the inventory/asset servers so they are more standalone (don't keep connecting to other servers). To allow for a more destributed set up with them. But haven't really thought about how a secure system could work  there. This lookup method just feels a bit too rigid to me

Michael Wright <michaelwri22 at yahoo.co.uk> wrote: Yeah I guess, one problem with  changes like this is anyone who has custom Login service (like us) has to rewrite it to use the new methods. Which is going to take time. But I guess that is how things go.

To be honest, even not taking that into account I would still like to see a way to turn things off. While you can argue that we should avoid too many options. At the same time I think you can argue that we should make things as customisable as possible (which is what I prefer).

I guess I need to look at the changes in inventory server more closely before I can really give a proper opinion though. 

Justin Clark-Casey <jjustincc at googlemail.com> wrote: Michael Wright wrote:
> We might also want to add a temporary config setting to the inventory 
> server to turn the security off. For people who want to update the  
> server, but could  have old regions on the grid.

To be honest, I think that it would be nice to avoid option proliferation.  Already, the 'secure' option is really just 
a bridge - the original mode should be removed (and secure become the 'default') when we're happy that they aren't major 
difficulties.  Adding another option for inventory server potentially exposes another point of failure and something 
that will have to be deprecated/removed later on.

I think that traditionally we've been happy to have breaking grid changes that have required region updates.  Can we do 
the same thing here?

> 
> */liu xiaolu /* wrote:
> 
>     OK,  I can understand that,
> 
>     you can change the OpenSim.ini.example like,
>     add the following line inside [Network] section (just under
>     inventory_server_url):
>     ;secure_inventory_server = true
>     you should  keep the line commented,  because by default its value is
>     "true"
> 
>     We(Johan, Mikem, lulurun) discussed about this,
>     "secure_inventory_server" is just a "bridge"
>     for the people who are running latest regionserver, but using old
>     revisions of UGAI.
> 
>     as the revision number grows, we want to delete this option in the
>     short future.
> 
>     \\\\
>     2008/7/25 Charles Krinke >:
> 
>         Thanks, Lulurun. That helps some.
> 
>         I believe the concern I have is the support of our users on the
>         #opensim IRC channel. If  there are settings to OpenSim that are
>         *not* in OpenSim.ini.example and someone sets them, then support
>         gets more difficult.
> 
>         At this point, I am merely trying to suggest that any config
>          settings that anyone might  use be entered in
>         OpenSim.ini.example. Additionally a couple of comments that
>         describe when one might want to use these settings would help
>         our users move forward.
> 
>         Charles
> 
> 
>         ----- Original Message ----
>         From: liu xiaolu >
>         To: opensim-dev at lists.berlios.de
>         
>         Sent: Thursday, July 24, 2008 8:04:24 PM
>         Subject: Re: [Opensim-dev] secure_inventory_server ??
> 
>         That option is avaliable from 5592, it is just a  temporary thing.
> 
>         To explain the situation simply:
>         1. old inventory server accepts any request without check the
>         use identity, this causes a problem that everyone's inventory
>         information can be  easily modified by other  people who even do
>         not know your password.
>         2. secure_inventory_server accepts request by checking a valid
>         session_id, so every inventory request needs to be attached a
>         session_id.
>         3. then both of the regionserver and the inventoryserver have to
>         be changed:
>           3.1 regionserver adds user's "session_id" to inventory CRUD
>         requests
>           3.2 secureinventoryserver expects the request data contains a
>         "session_id"
>         4. so the latest regionserver do not work with non-secure
>         inventoryserver any more.
>  
>         the option enables people who are using the latest regionserver,
>         but want to connect to a non-secure inventoryserver - they can
>         set "use_secure_invnetory" to false in OpenSim.ini
> 
> 
>         2008/7/25  Charles Krinke  >:
> 
>             I am hearing about a new OpenSim.ini setting called
>             secure_inventory_server and am told it is not in
>             OpenSim.ini.example. I believe all settings for OpenSim
>             should be in OpenSim.ini and have a default, which in this
>             case could be either true, or false, I would think.
> 
>             Can someone please help us understand what this setting is,
>             what it does when set to false, what it does when set to
>             true and perhaps consider adding at least a default for this
>             setting  in OpenSim.ini.example?
> 
>             Charles
> 
>             _______________________________________________
>             Opensim-dev mailing list
>             Opensim-dev at lists.berlios.de
>               
>             https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> 
> 
> 
>         -- 
>         Lulurun
> 
>         _______________________________________________
>         Opensim-dev mailing list
>         Opensim-dev at lists.berlios.de 
>         https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> 
> 
> 
>     -- 
>     Lulurun
>     _______________________________________________
>     Opensim-dev mailing list
>     Opensim-dev at lists.berlios.de
>      https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> 
> ------------------------------------------------------------------------
> Not happy with your email address?
> Get the one you really want  - 
> millions of   new email addresses available now at Yahoo! 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
justincc
Justin Clark-Casey
http://justincc.wordpress.com
_______________________________________________
Opensim-dev mailing  list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

           

---------------------------------
  Not happy with your email address? 
  Get the one you   really want - millions of new email addresses available now at  Yahoo!_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

           

---------------------------------
  Not happy with your email address? 
  Get the one you   really want - millions of new email addresses available now at  Yahoo!_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

           

---------------------------------
  Not happy with your email address? 
  Get the one you   really want - millions of new email addresses available now at  Yahoo!_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev


       
---------------------------------
 Not happy with your email address?
  Get the one you really want - millions of new email addresses available now at  Yahoo!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080725/ec8c9e07/attachment-0001.html>

More information about the Opensim-dev mailing list