[Opensim-dev] secure_inventory_server ??
Michael Wright
michaelwri22 at yahoo.co.uk
Fri Jul 25 14:32:47 UTC 2008
liu xiaolu <lulurun at gmail.com> wrote: Hi, _MW,
>a quick follow on, what I mean about it being too rigid, is that by having a set userserver set
>url in the inventory server.
I think I have to explain more about the security change.
[definition:]
* To put inventoryserver and userserver separatly, means they are on different servers and use
different DB.
* "inventory information" is very *closely* related to user information(inventoryids belongs to a userid),
but "inventory information" does not contain enough information that can prove user's identity.
* Inventoryserver holds such kind of "inventory information"
* Userserver holds the information that can prove user's identity(uuid/name,password)
[problem:]
* If we put inventoryserver separate from userserver, then inventoryserver can not claim user's
identity by itself
=> inventoryserver has to rely on 1 or some userservers. (check_auth_session call is neccessary)
// Above, is the current situation
[solution for "too rigid":]
* add a new table for inventoryserver, 2 fields, useruuid, userserver_url, everytime inventoryserver
extract "session_id", "user_id" from the request, get "userserver_url" by "user_id", then check the
identity of "user_id" from "userserver_url" (call check_auth_session)
I really think rather than the inventory server calling a authenticate method on the user server. That the user server should send a sessionid to the inventory server when a new login happens. I guess your idea of the userserver_url was something silmilar in that the userserver would update it when a user logs in? Otherwise if it was just "hardcoded" in the db then it wouldn't solve anything.
Of course there is also the case of a user being online on multiple "grids" at the same time while using a single inventory server (which we have done). But if needed that shouldn't be too hard for someone to make the changes themselves. (just store mutliple sessions/grid pairs per user's inventory).
>It makes it harder to use the same inventory server on multiple grids.
>Either for the same user (if their id on each grid was the same).
>Or just multiple grids/user groups sharing a common inventory server.
Have you ever think about 1 grid uses multiple inventoryservers. :>
Sounds like the opposite of what you said, but I think inventoryserver should be thought in this way:
*** inventoryserver is serving for the users, not the grids/regions.
I mean, inventory server should not be always tied up with grids, no matter 1 to n or n to 1,
inventory server just exists for "users", and the "users" maybe from different grids.
I really not sure what you mean here? Nothing I have said would stop multiple inventory servers on 1 grid. In fact I think my suggestions would make these easier to support. Also yes I'm totally talking about making a inventory server , serve users rather than "grids". Just at the moment with the security system as it is currently. It is set up for exactly the opposite. Its tying a inventory server to a grid.
I think inventory and in the future asset servers. Should be thought of a seperate services. That a user could pick whatever service they want to hold their inventory/assets and create a account on it. Then tell whatever "grid" they join/are part of to use that service. All they should need to do is set the permissions of the inventory/asset account so that the grid can access it (I also think eventally that permissions should be at the folder level, so can give a grid read only permissions or something).
This is also a part of my plan of "interop", please refer to
http://opensimulator.org/wiki/Avatar_portability_version_2
for more information
regards,
Lulurun
_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev
---------------------------------
Not happy with your email address?
Get the one you really want - millions of new email addresses available now at Yahoo!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080725/11e70ffc/attachment-0001.html>
More information about the Opensim-dev
mailing list