restoreExpiry := lifecycle.ExpectedExpiryTime(time.Now().UTC(), rreq.Days)
	metadata := cloneMSS(objInfo.UserDefined)

	// update self with restore metadata
	if rreq.Type != SelectRestoreRequest {
		objInfo.metadataOnly = true // Perform only metadata updates.
		metadata[xhttp.AmzRestoreExpiryDays] = strconv.Itoa(rreq.Days)
		metadata[xhttp.AmzRestoreRequestDate] = time.Now().UTC().Format(http.TimeFormat)

				fmt.Fprint(h, meta.TransitionStatus)
				fmt.Fprint(h, meta.TransitionTier)
				fmt.Fprint(h, meta.TransitionedObjName)
				fmt.Fprint(h, meta.TransitionVersionID)
			}

			// If metadata says encrypted, ask for it in quorum.
			if etyp, ok := crypto.IsEncrypted(meta.Metadata); ok {
				fmt.Fprint(h, etyp)
			}

			// If compressed, look for compressed FileInfo only
			if meta.IsCompressed() {

## Configuring OpenID Identity Provider on MinIO

		IsLatest:     true,
		DeleteMarker: true,
		NumVersions:  4,
	}
	deleteAllILM := `<LifecycleConfiguration>
			    <Rule>
		               <Expiration>
		                  <Days>30</Days>
	                          <ExpiredObjectAllVersions>true</ExpiredObjectAllVersions>
	                       </Expiration>
	                       <Filter></Filter>
	                       <Status>Enabled</Status>

				}
			}
			if p.ClientID == "" {
				return c, config.Errorf("client ID must not be empty")
			}

			// We set the resource ID of the role arn as a hash of client
			// ID, so we can get a short roleARN that stays the same on
			// restart.
			var resourceID string
			{
				h := sha1.New()
				h.Write([]byte(p.ClientID))
				bs := h.Sum(nil)
				resourceID = base64.RawURLEncoding.EncodeToString(bs)
			}

```sh
awscli s3api put-object-lock-configuration --bucket mybucket --object-lock-configuration 'ObjectLockEnabled=\"Enabled\",Rule={DefaultRetention={Mode=\"GOVERNANCE\",Days=1}}'
```

### Set object lock

		formValues.Set("X-Amz-Credential", tt.XAmzCredential)
		if tt.Expired {
			// Expired already.
			pp.SetExpires(UTCNow().AddDate(0, 0, -10))
		} else {
			// Expires in 10 days.
			pp.SetExpires(UTCNow().AddDate(0, 0, 10))
		}

		formValues.Set("Policy", base64.StdEncoding.EncodeToString([]byte(pp.String())))
		formValues.Set("Success_action_status", tt.SuccessActionStatus)

	conditions["object-lock-mode"] = []string{string(retMode)}
	conditions["object-lock-retain-until-date"] = []string{retDate.UTC().Format(time.RFC3339)}
	if retDays > 0 {
		conditions["object-lock-remaining-retention-days"] = []string{strconv.Itoa(retDays)}
	}
	if retMode == objectlock.RetGovernance && byPassSet {
		byPassSet = globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,

	if etcdClient == nil {
		sys.store = &IAMStoreSys{newIAMObjectStore(objAPI, sys.usersSysType)}
	} else {
		sys.store = &IAMStoreSys{newIAMEtcdStore(etcdClient, sys.usersSysType)}
	}
}

// Initialized checks if IAM is initialized
func (sys *IAMSys) Initialized() bool {
	if sys == nil {
		return false
	}
	sys.Lock()
	defer sys.Unlock()
	return sys.store != nil
}

				// Number of probes.
				// ~ cat /proc/sys/net/ipv4/tcp_keepalive_probes (defaults to 9, we reduce it to 5)
				_ = syscall.SetsockoptInt(fd, syscall.IPPROTO_TCP, syscall.TCP_KEEPCNT, 5)

				// Wait time after successful probe in seconds.
				// ~ cat /proc/sys/net/ipv4/tcp_keepalive_intvl (defaults to 75 secs, we reduce it to 15 secs)