[Opensim-dev] Authentication, take 2: Capabilities
Diva Canto
diva at metaverseink.com
Fri Feb 27 04:35:37 UTC 2009
After more poking at the viewer, here's what I found.
FetchInventoryDescendents seems to be working consistently over CAPs, in
fact better than over UDP. When the agent logs in, the client always
invokes that CAP, unlike the message over UDP which only seems to come
after a clear cache. That first FetchInventoryDescendents request is for
getting the 1st-level items just below the Root folder. Whenever you
unfold folders, this CAP is invoked too, and that happens all the time.
In other words, the inventory skeleton is passed in a lazy mode to the
client, and directly from wherever this Capability is being served. Why
is this commented in the code?
Observation #1: we could make the provider of this CAP be the inventory
service, instead of the region. That way, the user can *browse* the
contents of her inventory *safely everywhere* -- even if the region
where she is doesn't have her inventory.
Unfortunately, the goodies sort of stop here. I tried coercing the
viewer to use FetchInventory, CreateInventoryItem,
CreateInventoryFolder, and other inventory manipulation operations, over
CAPs, but the viewer doesn't seem to want to do that. The only ones that
are over CAPs are the ones we already have related to notecards and
scripts. Those can also be split eventually, some of them should go to
the inv server directly, namely: NewFileAgentInventory,
UpdateNotecardAgentInventory, UpdateScriptAgentInventory. There's really
no need to let the regions serve these.
However, even though inventory access doesn't seem to be entirely over
CAPs, not all is lost. What this means is that we can stop regions (the
untrusted ones, at least) from getting the user's inventory in its
entirety while the user still *sees* it. The next problem is *access*.
That is, I can see I have a shape in there, but as soon as I try to wear
it, that fails, because the region where I am doesn't known anything
about it (it doesn't have the assetID, because it doesn't have the
inventory).
We have three options here.
(1) We have the region fetch that inventory item from the user's
inventory, and then send it to the viewer; so the region gets a copy of
the item.
(2) We have the region serve merely as front-end of the request, passing
it to the user's inventory server or home region, and have them send the
actual item to the viewer. (my favorite; in this case, Identity and
Authentication would be established by the viewer's EndPoint, again)
(3) We simply don't serve the item.
In any case, the great thing here is that the region doesn't have the
complete listing of the users' inventory items, but the viewer does.
That is, we avoid that dreadful "Loading...". The region may get
requests for fetching items, and those IDs come from the client. So when
the inv server gets a request to fetch an item, we know that with all
likelihood this request came from the legitimate viewer; the odds of the
region guessing a valid itemID are pretty low.
---
I can already hear Melanie saying that any of this is going to break 57
things related to attachments and scripting :-) That's ok. I'm talking
about crossing boundaries of trust for now, so Hypergrid, OSGrid and
others like that. And there's ways of not breaking attachments and
scripts across region boundaries.
My main objective is to defeat what I've put DNCH doing at the moment --
wiping out people's inventories.
Melanie wrote:
> That is what was said. Linden reverted the inventory protocol to UDP
> on their servers because of an issue in the viewer that was so
> fundamental that it was decided to not be worth fixing.
>
> Whether this is true, I don't know. but it was said.
>
> Melanie
>
> Diva Canto wrote:
>
>> Melanie wrote:
>>
>>> Linden turned it off because it's broken in the client. So, we can
>>> try to use it but will hit the same wall, since the client was never
>>> fixed.
>>>
>>>
>>>
>> Melanie: are you 100% sure about this? This, of course, is critical. The
>> whole point of my thinking was to access inventory over the consistent
>> model of CAPs; if that's not working, then everything else is minor.
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090226/ef655a5d/attachment-0001.html>
More information about the Opensim-dev
mailing list