[Opensim-dev] Authentication, take 2: Capabilities

Stefan Andersson stefan at tribalmedia.se
Fri Feb 27 13:33:11 UTC 2009 

Diva,

 

I was thinking the same thing, at some point we might see other protocols use CAPS-like interactions, because they are actually quite nifty and lightweight. (Yes, I have the way it's implemented in this particular case, and CAPS is not the answer to everyting, but it's not all bad)

 

But for now, let's stow it away into the LL stack - BUT this kind of puts the search light on another thing that was debated a couple of months ago, namely how LL-oriented our UGAIM are. Basically, I believe we should start looking at how to create an "LLServerStack".

 

Darren et als work with the "relocatable global modules" kind of opens up the door for this - maybe the CAPS thing could be a first proof-of-concept for this architecture?


(I guess I'm thinking of a general CAPS module that could basically help modules and clientstacks (which in themselves seem to become part of modules) hook onto any established http server, probably by wrapping them into streamhandlers)

Best regards,
Stefan Andersson
Tribal Media AB



 


Date: Thu, 26 Feb 2009 21:11:21 -0800
From: diva at metaverseink.com
To: opensim-dev at lists.berlios.de
Subject: Re: [Opensim-dev] Authentication, take 2: Capabilities

I actually didn't explain Capabilities exactly as they can be used in the extreme. You will see that this can be used also when you have the inventory server behind closed doors.

A capability URL doesn't need to be a direct web service. It can be an indirect pointer. So you have the public URL that you give out to the client, and when that is invoked it finds a capability mapping service that finally invokes the capability function provider.

I don't think I want to do this right now. So yes, all those URLs should be configurable.

The bigger issue I'm debating is how all this should look like in the code. We all know we don't know where to put CAPs :-) I'm hoping this will finally give it a natural place to be, but I need to think a lot more. One thing's for sure: CAPs is an LL Viewer thing and as such it should be under LLxxx. It's very unlikely that other viewers will use capabilities. (although the more I think about it, the more similarities I see with OpenID Tokens...)


Melanie wrote: 
Well, if FetchInventoryDescendents works better over CAPS, then we 
can try using that. Now, that would serve another purpose beyond 
your intended trust issue:

Currently, inventory is fetched by the region en-bloc, rather than 
being fetched only on demand. There isn't even a function to fetch a 
single item by UUID.

Now, here is what I found:

- If an item is given to a user while that user is offline, the user 
needs to clear cache to see it
- If an item is given to a user while that user is in another 
region, the item will not show until a relog & cache clear

You just supplied a very important bit of information, namely that 
the viewer sends SendInventoryDescendents over UDP only after a 
cache clear, but over CAPS it's sent all the time.

So, CAPS would seem to be the solution to this issue.

Now, here it goes, again:

There are grids that are set up to have an inventory server that is 
inaccessible to the viewer. So, while I'm, of course, not opposed to 
your approach of lettign the viewer talk to the inventory server, 
that needs to be optional. The inventory server is not secure enough 
to be open to the internet! Not for the fledgling commercial 
offerings like LCO.

Also, this highlights a new, additional reason to have a function 
like "get item by uuid" on the inventory server interface. On 
cross-region gives, the region of the receiving agent receives a 
message (via IM) containing the item ID. In order to send the bulk 
update message that is needed to make the viewer actually see the 
item, it needs to first fetch it. This is not an issue if giver and 
receiver are in one region, because the item is already in the 
region's inventory cache, but if it;s a different region, it doesn't 
have that item and currently has no way to request it, short of 
reloading that user's complete inventory!

So, maybe, as a side effect, this problem can be solved, since such 
a "fetch item to region by UUID" function will be needed for that 
scenario, too.

For open grid offerings, I see some added security against regions 
corrupting user inventories, for all grids, I see some advantage in 
memory consumption, because the full inventory fetch on region entry 
is removed by it, and also maybe a chance to make cross-region item 
giving work.

The only thing I'm asking is, please make the ex-region CAPS giving 
for this optional, e.g. provide a region implementation to proxy it 
and allow selection of either a region caps (for trusted regions and 
closed grids) and inventory server CAPS (for open grids that have 
accessible inventory servers).

Melanie


Diva Canto wrote:
  
After more poking at the viewer, here's what I found.

FetchInventoryDescendents seems to be working consistently over CAPs, in 
fact better than over UDP. When the agent logs in, the client always 
invokes that CAP, unlike the message over UDP which only seems to come 
after a clear cache. That first FetchInventoryDescendents request is for 
getting the 1st-level items just below the Root folder. Whenever you 
unfold folders, this CAP is invoked too, and that happens all the time. 
In other words, the inventory skeleton is passed in a lazy mode to the 
client, and directly from wherever this Capability is being served. Why 
is this commented in the code?

Observation #1: we could make the provider of this CAP be the inventory 
service, instead of the region. That way, the user can *browse* the 
contents of her inventory *safely everywhere* -- even if the region 
where she is doesn't have her inventory.

Unfortunately, the goodies sort of stop here. I tried coercing the 
viewer to use FetchInventory, CreateInventoryItem, 
CreateInventoryFolder, and other inventory manipulation operations, over 
CAPs, but the viewer doesn't seem to want to do that. The only ones that 
are over CAPs are the ones we already have related to notecards and 
scripts. Those can also be split eventually, some of them should go to 
the inv server directly, namely: NewFileAgentInventory, 
UpdateNotecardAgentInventory, UpdateScriptAgentInventory. There's really 
no need to let the regions serve these.

However, even though inventory access doesn't seem to be entirely over 
CAPs, not all is lost. What this means is that we can stop regions (the 
untrusted ones, at least) from getting the user's inventory in its 
entirety while the user still *sees* it. The next problem is *access*. 
That is, I can see I have a shape in there, but as soon as I try to wear 
it, that fails, because the region where I am doesn't known anything 
about it (it doesn't have the assetID, because it doesn't have the 
inventory).

We have three options here.

(1) We have the region fetch that inventory item from the user's 
inventory, and then send it to the viewer; so the region gets a copy of 
the item.
(2) We have the region serve merely as front-end of the request, passing 
it to the user's inventory server or home region, and have them send the 
actual item to the viewer. (my favorite; in this case, Identity and 
Authentication would be established by the viewer's EndPoint, again)
(3) We simply don't serve the item.

In any case, the great thing here is that the region doesn't have the 
complete listing of the users' inventory items, but the viewer does. 
That is, we avoid that dreadful "Loading...". The region may get 
requests for fetching items, and those IDs come from the client. So when 
the inv server gets a request to fetch an item, we know that with all 
likelihood this request came from the legitimate viewer; the odds of the 
region guessing a valid itemID are pretty low.

---

I can already hear Melanie saying that any of this is going to break 57 
things related to attachments and scripting :-) That's ok. I'm talking 
about crossing boundaries of trust for now, so Hypergrid, OSGrid and 
others like that. And there's ways of not breaking attachments and 
scripts across region boundaries.

My main objective is to defeat what I've put DNCH doing at the moment -- 
wiping out people's inventories.

Melanie wrote:
    
That is what was said. Linden reverted the inventory protocol to UDP 
  on their servers because of an issue in the viewer that was so 
fundamental that it was decided to not be worth fixing.

Whether this is true, I don't know. but it was said.

Melanie

Diva Canto wrote:
  
      
Melanie wrote:
    
        
Linden turned it off because it's broken in the client. So, we can 
try to use it but will hit the same wall, since the client was never 
fixed.

  
      
          Melanie: are you 100% sure about this? This, of course, is critical. The 
whole point of my thinking was to access inventory over the consistent 
model of CAPs; if that's not working, then everything else is minor.

_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev


    
        _______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

  
      

------------------------------------------------------------------------

_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev
    _______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090227/f3a69ca7/attachment-0001.html>

More information about the Opensim-dev mailing list