```

### 2. Create a sample OPA Policy

In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`:

```sh
cat > example.rego <<EOF
package httpapi.authz

import input

default allow = false

# Allow the root user to perform any action.
allow {
 input.owner == true
}

# All other users may do anything other than call PutObject
allow {

	return globalAuthZPlugin
}

func setGlobalAuthNPlugin(authn *idplugin.AuthNPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthNPlugin = authn
	globalAuthPluginMutex.Unlock()
}

func setGlobalAuthZPlugin(authz *polplugin.AuthZPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthZPlugin = authz
	globalAuthPluginMutex.Unlock()
}

KEY:
policy_plugin  enable Access Management Plugin for policy enforcement

ARGS:
MINIO_POLICY_PLUGIN_URL*          (url)       plugin hook endpoint (HTTP(S)) e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"
MINIO_POLICY_PLUGIN_AUTH_TOKEN    (string)    authorization header for plugin hook endpoint
MINIO_POLICY_PLUGIN_ENABLE_HTTP2  (bool)      Enable experimental HTTP2 support to connect to plugin service (default: 'off')

		Prefix: r.Form.Get("pattern"),
	})
	if err != nil {
		writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
		return
	}

	// Get the cred and owner for checking authz below.
	cred, owner, s3Err := validateAdminSignature(ctx, r, "")
	if s3Err != ErrNone {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
		return
	}

		return ErrSTSAccessDenied
	}
}

func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (auth.Credentials, APIErrorCode) {
	if !isRequestSignatureV4(r) {
		return auth.Credentials{}, ErrAccessDenied
	}

	s3Err := isReqAuthenticated(ctx, r, globalSite.Region(), serviceSTS)
	if s3Err != ErrNone {
		return auth.Credentials{}, s3Err
	}

	user, _, s3Err := getReqAccessKeyV4(r, globalSite.Region(), serviceSTS)

	logger.LogIf(ctx, "admin", err, errKind...)
}

func authNLogIf(ctx context.Context, err error, errKind ...any) {
	logger.LogIf(ctx, "authN", err, errKind...)
}

func authZLogIf(ctx context.Context, err error, errKind ...any) {
	logger.LogIf(ctx, "authZ", err, errKind...)
}

func peersLogIf(ctx context.Context, err error, errKind ...any) {
	if !errors.Is(err, grid.ErrDisconnected) {

		return updatedAt, errServerNotInitialized
	}

	if !auth.IsAccessKeyValid(accessKey) {
		return updatedAt, auth.ErrInvalidAccessKeyLength
	}

	if auth.ContainsReservedChars(accessKey) {
		return updatedAt, auth.ErrContainsReservedChars
	}

	if !auth.IsSecretKeyValid(ureq.SecretKey) {
		return updatedAt, auth.ErrInvalidSecretKeyLength
	}

	case accountName == globalActiveCred.AccessKey || newGlobalAuthZPluginFn() != nil:
		// For owner account and when plugin authZ is configured always set
		// effective policy as `consoleAdmin`.
		//
		// In the latter case, we let the UI render everything, but individual
		// actions would fail if not permitted by the external authZ service.
		for _, policy := range policy.DefaultPolicies {
			if policy.Name == "consoleAdmin" {

        assertNotEquals(auth1, auth4);
        assertNotEquals(auth1, new Object());
    }

    // Test hashCode method
    @Test
    void testHashCode() {
        NtlmPasswordAuthentication auth1 = new NtlmPasswordAuthentication("DOMAIN", "user", "password");
        NtlmPasswordAuthentication auth2 = new NtlmPasswordAuthentication("DOMAIN", "user", "password");
        assertEquals(auth1.hashCode(), auth2.hashCode());

        NtlmPasswordAuthenticator auth1 =
                new NtlmPasswordAuthenticator("DOMAIN", "user", password1, NtlmPasswordAuthenticator.AuthenticationType.USER);

        assertEquals("DOMAIN", auth1.getUserDomain());
        assertEquals("user", auth1.getUsername());
        assertEquals("TypedPass123!", auth1.getPassword());
        assertFalse(auth1.isGuest());
        assertFalse(auth1.isAnonymous());