The one thing we need to keep in mind when thinking about adding auth/permissions etc on these asset interfaces. It that more and more of the Asset and inventory things are moving to CAPS, I'm not actually sure, if in the last few versions, the SL has started to use CAPS for texture downloads (it didn't about a month or two ago). But it certainly (can) use CAPS for texture uploads and other asset uploads/changes. <br><br>We do in opensim, actually use CAPS for some of these things; like texture uploads. Its just our caps handlers are stuck on the region server which then forwards the requests onto the asset server. So we don't really get the benefit of what CAPS is meant to bring. We need, in the future is to move those CAPS handlers, for those services, onto the backend servers. So the servers (or some proxy) deal directly with the client requests. (and I'm not saying we should do it now, think we need to get the base asset system working correctly first)<br><br>But
what I'm trying to say is any auth we add on the current "Region fetches assets and sends back to the client" system, may not be relevant to the direct client- server CAPS system. <br><br><b><i>Sean Dague <sean@dague.net></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> I wanted to kick off some scribling about the specifics of the REST<br>interface for the asset server, to get as many eyes looking at this as<br>possible.<br><br>In the early stack today we have:<br><br>GET /assets/UUID - returns that asset<br>POST /assets - pushes an asset, UUID taken from XML<br><br>I think that we should move to a url interface more like:<br><br>GET /assets/by-uuid/UUID<br>DELETE /assets/by-uuid/UUID<br>POST /assets/by-uuid/UUID - this is an update call<br>PUT /assets/new - asset server creates new UUID, returns<br> object in the response stream to get <br>
asset server allocated UUID<br><br><br>The next thing that I think we need to figure out is some level of auth<br>on the /assets/. Today, anyone can do anything, obviously wrong.<br>However, what is the right answer here?<br><br>Should we have trusted regions? Should the asset server ask the grid<br>server about a region on each request? Should we move permission bits<br>into assets, and should those be user or region based?<br><br>Comments encouraged.<br><br> -Sean<br><br>-- <br>__________________________________________________________________<br><br>Sean Dague Mid-Hudson Valley<br>sean at dague dot net Linux Users Group<br>http://dague.net http://mhvlug.org<br><br>There is no silver bullet. Plus, werewolves make better neighbors<br>than zombies, and they tend to keep the vampire population
down.<br>__________________________________________________________________<br>_______________________________________________<br>Opensim-dev mailing list<br>Opensim-dev@lists.berlios.de<br>https://lists.berlios.de/mailman/listinfo/opensim-dev<br></blockquote><br><p>
<hr size=1>
Yahoo! Answers - Get better answers from someone who knows. <a
href="http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU">Try
it now</a>.