[Opensim-dev] secure_inventory_server ??

Michael Wright michaelwri22 at yahoo.co.uk
Fri Jul 25 14:32:47 UTC 2008 


liu xiaolu <lulurun at gmail.com> wrote: Hi, _MW,

>a quick follow on, what I mean about it being too rigid, is that by having a set userserver set
>url in the inventory server.
I think I have to explain more about the security change.

[definition:]
* To put inventoryserver and userserver separatly, means they are on different servers and use
   different DB.
* "inventory information" is very *closely* related to user information(inventoryids belongs to a userid),
  but "inventory information" does not contain enough information that can prove user's identity.
 * Inventoryserver holds such kind of "inventory information"
* Userserver holds the information that can prove user's identity(uuid/name,password) 
[problem:]
* If we put inventoryserver separate from userserver, then inventoryserver can not claim user's
   identity by itself
  => inventoryserver has to rely on 1 or some userservers. (check_auth_session call is neccessary)
// Above, is the current situation
[solution for "too rigid":]
* add a new table for inventoryserver, 2 fields, useruuid, userserver_url, everytime inventoryserver
   extract "session_id", "user_id" from the request, get "userserver_url" by "user_id", then check the
  identity of "user_id" from "userserver_url" (call check_auth_session)

I really think rather than the inventory server calling a authenticate method on the user server. That the user server should send a sessionid to the inventory server when a new login happens. I guess your idea of the userserver_url was something silmilar in that the userserver would update it when a user logs in? Otherwise if it was just "hardcoded" in the db then it wouldn't solve anything.

Of course there is also the case of a user being online on multiple "grids" at the same time while using a single inventory server (which we have done). But if needed that shouldn't be too hard for someone to make the changes themselves. (just store mutliple sessions/grid pairs per user's inventory).

 
>It makes it harder to use the same inventory server on multiple grids.
>Either for the same user (if their id on each grid was the same).
  >Or just multiple grids/user groups sharing a common inventory server.
Have you ever think about 1 grid uses multiple inventoryservers. :>
Sounds like the opposite of what you said, but I think inventoryserver should be thought in this way:
 *** inventoryserver is serving for the users, not the grids/regions.
I mean, inventory server should not be always tied up with grids, no matter 1 to n or n to 1,
inventory server just exists for "users", and the "users" maybe from different grids.

I really not sure what you mean here? Nothing I have said would stop multiple inventory servers on 1 grid. In fact I think my suggestions would make these easier to support. Also yes I'm totally talking about making a inventory server , serve users rather than "grids". Just at the moment with the security system as it is currently. It is set up for exactly the opposite. Its tying a inventory server to a grid.

I think inventory and in the future asset servers. Should be thought of a seperate services. That a user could pick whatever service they want to hold their inventory/assets and create a account on it. Then tell whatever "grid" they join/are part of to use that service. All they should need to do is set the permissions of the inventory/asset account so that the grid can access it (I also think eventally that permissions should be at the folder level, so can give a grid read only permissions or something). 
 
This is also a part of my plan of "interop", please refer to
http://opensimulator.org/wiki/Avatar_portability_version_2
for more information
 
regards,
Lulurun

 
 _______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev


       
---------------------------------
 Not happy with your email address?
  Get the one you really want - millions of new email addresses available now at  Yahoo!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080725/11e70ffc/attachment-0001.html>

More information about the Opensim-dev mailing list