return authTypeAnonymous
	}
	return authTypeUnknown
}

func validateAdminSignature(ctx context.Context, r *http.Request, region string) (auth.Credentials, bool, APIErrorCode) {
	var cred auth.Credentials
	var owner bool
	s3Err := ErrAccessDenied
	if _, ok := r.Header[xhttp.AmzContentSha256]; ok &&
		getRequestAuthType(r) == authTypeSigned {

	if !sys.Initialized() {
		return auth.Credentials{}, time.Time{}, errServerNotInitialized
	}

	if parentUser == "" {
		return auth.Credentials{}, time.Time{}, errInvalidArgument
	}

	if len(opts.accessKey) > 0 && len(opts.secretKey) == 0 {
		return auth.Credentials{}, time.Time{}, auth.ErrNoSecretKeyWithAccessKey
	}

	// Get current object layer instance.
	objectAPI := newObjectLayerFn()
	if objectAPI == nil || globalNotificationSys == nil {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
		return nil, auth.Credentials{}
	}

	for _, action := range actions {
		// Validate request signature.

func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, APIErrorCode) {
	cred := globalActiveCred
	if cred.AccessKey != accessKey {
		if !globalIAMSys.Initialized() {
			// Check if server has initialized, then only proceed
			// to check for IAM users otherwise its okay for clients
			// to retry with 503 errors when server is coming up.
			return auth.Credentials{}, false, ErrServerNotInitialized
		}

const (
	Endpoint   = "endpoint"
	AuthToken  = "auth_token"
	ClientCert = "client_cert"
	ClientKey  = "client_key"
	BatchSize  = "batch_size"
	QueueSize  = "queue_size"
	QueueDir   = "queue_dir"
	Proxy      = "proxy"

	KafkaBrokers       = "brokers"
	KafkaTopic         = "topic"
	KafkaTLS           = "tls"
	KafkaTLSSkipVerify = "tls_skip_verify"
	KafkaTLSClientAuth = "tls_client_auth"
	KafkaSASL          = "sasl"

	KafkaTopic            = "topic"
	KafkaQueueDir         = "queue_dir"
	KafkaQueueLimit       = "queue_limit"
	KafkaTLS              = "tls"
	KafkaTLSSkipVerify    = "tls_skip_verify"
	KafkaTLSClientAuth    = "tls_client_auth"
	KafkaSASL             = "sasl"
	KafkaSASLUsername     = "sasl_username"
	KafkaSASLPassword     = "sasl_password"
	KafkaSASLMechanism    = "sasl_mechanism"
	KafkaClientTLSCert    = "client_tls_cert"

// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package cmd

import (
	"net/http"
	"strings"
	"time"

	"github.com/minio/minio/internal/auth"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/minio/internal/mcontext"
	"github.com/minio/pkg/v2/policy"
	"github.com/prometheus/client_golang/prometheus"
	"github.com/prometheus/common/expfmt"
)

MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL    (string)    Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC  (on|off)    Enable 'Host' header based dynamic redirect URI (default: 'off')

const (
	WebhookEndpoint   = "endpoint"
	WebhookAuthToken  = "auth_token"
	WebhookQueueDir   = "queue_dir"
	WebhookQueueLimit = "queue_limit"
	WebhookClientCert = "client_cert"
	WebhookClientKey  = "client_key"

	EnvWebhookEnable     = "MINIO_NOTIFY_WEBHOOK_ENABLE"
	EnvWebhookEndpoint   = "MINIO_NOTIFY_WEBHOOK_ENDPOINT"
	EnvWebhookAuthToken  = "MINIO_NOTIFY_WEBHOOK_AUTH_TOKEN"
	EnvWebhookQueueDir   = "MINIO_NOTIFY_WEBHOOK_QUEUE_DIR"

	"github.com/minio/minio/internal/grid"
	"github.com/minio/minio/internal/handlers"
	"github.com/minio/minio/internal/kms"
	"go.uber.org/atomic"

	"github.com/dustin/go-humanize"
	"github.com/minio/minio/internal/auth"
	"github.com/minio/minio/internal/config/cache"
	"github.com/minio/minio/internal/config/callhome"
	"github.com/minio/minio/internal/config/compress"
	"github.com/minio/minio/internal/config/dns"