{Bucket: "testbucket", Key: "user/user1/filename/${filename}/myfile.txt", XAmzMetaUUID: "14365123651274", SuccessActionStatus: "201", XAmzCredential: "KVGKMDUQ23TCZXTLTHLP/20160727/us-east-1/s3/aws4_request", XAmzDate: "20160727T000000Z", XAmzAlgorithm: "AWS4-HMAC-SHA256", ContentType: "image/jpeg", expectedErr: nil},
		// Expired policy document

    rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
    return 1
  fi
  USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
  # Create the user if it does not exist
  if ! checkUserExists ; then
    echo "Creating user '$USER'"
    cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio
  else
    echo "User '$USER' already exists."
  fi
  #clean up credentials files.
  rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP

```

Create a new admin user `admin1` on MinIO use `mc admin user`.

```
mc admin user add myminio admin1 admin123
```

Once the user is successfully created you can now apply the `userManage` policy for this user.

```
mc admin policy attach myminio userManager --user=admin1
```

This admin user will then be allowed to perform create/delete user operations via `mc admin user`

### Using MinIO Console

- Open MinIO URL on the browser, lets say <http://localhost:9000/>
- Click on `Login with SSO`
- User will be redirected to the Keycloak user login page, upon successful login the user will be redirected to MinIO page and logged in automatically,
  the user should see now the buckets and objects they have access to.

## Explore Further

### 2. Create a sample OPA Policy

In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`:

```sh
cat > example.rego <<EOF
package httpapi.authz

import input

default allow = false

# Allow the root user to perform any action.
allow {
 input.owner == true
}

# All other users may do anything other than call PutObject
allow {
 input.action != "s3:PutObject"

```sh
go run access-manager-plugin.go
```

This program, lets the admin user perform any action and prevents all other users from performing `s3:Put*` operations.

In another terminal start MinIO:

```sh
export MINIO_CI_CD=1
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
export MINIO_POLICY_PLUGIN_URL=http://localhost:8080/
minio server /tmp/disk{1...4}
```

	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

// User represents information about user.
type User struct {
	Name    string `json:"username"`
	ID      string `json:"id"`
	Enabled bool   `json:"enabled"`
}

// Standard errors.
var (

    name: Example

# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true

# A static list of passwords to login the end user. By identifying here, dex
# won't look in its underlying storage for passwords.
#
# If this option isn't chosen users may be added through the gRPC API.
staticPasswords:
  - email: "******@****.***"
    # bcrypt hash of the string "password"

#   git log --format='%aE - %aN' | sort -uf
#
# For explanation on this file format: man git-shortlog

Anand Babu (AB) Periasamy <******@****.***> Anand Babu (AB) Periasamy <abperiasamy@users.noreply.github.com>
Anand Babu (AB) Periasamy <******@****.***> <******@****.***>
Anis Elleuch <******@****.***>
Frederick F. Kautz IV <******@****.***> <******@****.***>

	}
	versionID = fi.VersionID
	if versionID == "" {
		versionID = nullVersionID
	}
	fi.Data = inData.find(versionID)
	if len(fi.Data) == 0 {
		// PR #11758 used DataDir, preserve it
		// for users who might have used master
		// branch
		fi.Data = inData.find(fi.DataDir)
	}
	return fi, nil
}

// hashDeterministicString will return a deterministic hash for the map values.