This PR fixes a security issue where an IAM user based
    on his policy is granted more privileges than restricted
    by the users IAM policy.

    This is due to an issue of prefix based Matcher() function
    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.
```

**NOTE**: When configuring multiple OpenID based authentication providers on a MinIO cluster, any number of Role Policy based providers may be configured, and at most one JWT Claim based provider may be configured.

<details><summary>Example 1: Two role policy providers</summary>

Sample environment variables:

```

```

or

```sh
mc admin config set myminio/ api requests_max=1600
mc admin service restart myminio/
```

> NOTE: A zero value of `requests_max` means MinIO will automatically calculate requests based on available RAM size and that is the default behavior.

### Configuring connection (wait) deadline

  -e "MINIO_ROOT_PASSWORD=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \
  quay.io/minio/minio server /data --console-address ":9001"
```

## Run Distributed MinIO on Containers

We recommend kubernetes based deployment for production level deployment <https://github.com/minio/operator>.

See the [Kubernetes documentation](https://min.io/docs/minio/kubernetes/upstream/index.html) for more information.

## MinIO Docker Tips

### Certificate Directory

TLS certificates by default are expected to be stored under ``${HOME}/.minio/certs`` directory. You need to place certificates here to enable `HTTPS` based access. Read more about [How to secure access to MinIO server with TLS](https://min.io/docs/minio/linux/operations/network-encryption.html).

Following is a sample directory structure for MinIO server with TLS certificates.

```sh

| mkdir               | yes       |
| rmdir               | yes       |
| delete              | yes       |
| append              | no        |
| rename              | no        |

MinIO supports following FTP/SFTP based protocols to access and manage data.

- Secure File Transfer Protocol (SFTP) – Defined by the Internet Engineering Task Force (IETF) as an
  extended version of SSH 2.0, allowing file transfer over SSH and for use with Transport Layer

   used instead.

Based on the description mentioned above, a MinIO engineer or security team
member investigates:

- Whether the reported vulnerability exists.
- The conditions that are required such that the vulnerability can be exploited.
- The steps required to fix the vulnerability.

In general, if the vulnerability exists in one of the MinIO code bases

`MINIO_IDENTITY_PLUGIN_ROLE_POLICY` is a required parameter and can be list of comma separated policy names.

On setting up the plugin, the MinIO server prints the Role ARN to its log. The Role ARN is generated by default based on the given plugin URL. To avoid this and use a configurable value set a unique role ID via `MINIO_IDENTITY_PLUGIN_ROLE_ID`.

## REST API call to plugin

The drives should all be of approximately the same size.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.