[Opensim-dev] secure_inventory_server ??
liu xiaolu
lulurun at gmail.com
Fri Jul 25 14:09:11 UTC 2008
Hi, _MW,
>a quick follow on, what I mean about it being too rigid, is that by having
a set userserver set
>url in the inventory server.
I think I have to explain more about the security change.
[definition:]
* To put inventoryserver and userserver separatly, means they are on
different servers and use
different DB.
* "inventory information" is very *closely* related to user
information(inventoryids belongs to a userid),
but "inventory information" does not contain enough information that can
prove user's identity.
* Inventoryserver holds such kind of "inventory information"
* Userserver holds the information that can prove user's
identity(uuid/name,password)
[problem:]
* If we put inventoryserver separate from userserver, then inventoryserver
can not claim user's
identity by itself
=> inventoryserver has to rely on 1 or some userservers.
(check_auth_session call is neccessary)
// Above, is the current situation
[solution for "too rigid":]
* add a new table for inventoryserver, 2 fields, useruuid, userserver_url,
everytime inventoryserver
extract "session_id", "user_id" from the request, get "userserver_url" by
"user_id", then check the
identity of "user_id" from "userserver_url" (call check_auth_session)
>It makes it harder to use the same inventory server on multiple grids.
>Either for the same user (if their id on each grid was the same).
>Or just multiple grids/user groups sharing a common inventory server.
Have you ever think about 1 grid uses multiple inventoryservers. :>
Sounds like the opposite of what you said, but I think inventoryserver
should be thought in this way:
*** inventoryserver is serving for the users, not the grids/regions.
I mean, inventory server should not be always tied up with grids, no matter
1 to n or n to 1,
inventory server just exists for "users", and the "users" maybe from
different grids.
This is also a part of my plan of "interop", please refer to
http://opensimulator.org/wiki/Avatar_portability_version_2
for more information
regards,
Lulurun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080725/d9c335e1/attachment-0001.html>
More information about the Opensim-dev
mailing list