因此，在端点中，只有当用户存在、通过身份验证、且状态为激活时，才能获得该用户：

```Python hl_lines="58-67  69-72  90"
{!../../../docs_src/security/tutorial003.py!}
```

!!! info "说明"

    此处返回值为 `Bearer` 的响应头 `WWW-Authenticate` 也是规范的一部分。

    任何 401**UNAUTHORIZED**HTTP（错误）状态码都应返回 `WWW-Authenticate` 响应头。

    本例中，因为使用的是 Bearer Token，该响应头的值应为 `Bearer`。

    实际上，忽略这个附加响应头，也不会有什么问题。

    之所以在此提供这个附加响应头，是为了符合规范的要求。

    说不定什么时候，就有工具用得上它，而且，开发者或用户也可能用得上。

    {!> ../../../docs_src/security/tutorial003.py!}
    ```

!!! info
    Der zusätzliche Header `WWW-Authenticate` mit dem Wert `Bearer`, den wir hier zurückgeben, ist ebenfalls Teil der Spezifikation.

    Jeder HTTP-(Fehler-)Statuscode 401 „UNAUTHORIZED“ soll auch einen `WWW-Authenticate`-Header zurückgeben.

    Im Fall von Bearer-Tokens (in unserem Fall) sollte der Wert dieses Headers `Bearer` lauten.

    ```Python hl_lines="55-64  67-70  88"
    {!> ../../../docs_src/security/tutorial003_py310.py!}
    ```

!!! info
    🌖 🎚 `WWW-Authenticate` ⏮️ 💲 `Bearer` 👥 🛬 📥 🍕 🔌.

    🙆 🇺🇸🔍 (❌) 👔 📟 4️⃣0️⃣1️⃣ "⛔" 🤔 📨 `WWW-Authenticate` 🎚.

    💼 📨 🤝 (👆 💼), 💲 👈 🎚 🔜 `Bearer`.

    👆 💪 🤙 🚶 👈 ➕ 🎚 & ⚫️ 🔜 👷.

    ✋️ ⚫️ 🚚 📥 🛠️ ⏮️ 🔧.

			return
		}

		cred := auth.Credentials{
			AccessKey: claims.AccessKey,
			Claims:    claims.Map(),
			Groups:    groups,
		}

		// For authenticated users apply IAM policy.
		if !globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.PrometheusAdminAction,

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

	// Before Istio would update the pod manifest to rewrite healthchecks to go to sidecar Envoy port 15021,
	// so that it could distinguish things that can be unauthenticated (healthchecks) from other kinds of node traffic
	// (e.g. LoadBalanced Service packets, etc) that need to be authenticated/captured/proxied.
	//
	// We want to do the same thing in ambient but can't rely on podSpec injection. So, do effectively the same thing,

	writeSuccessResponseXML(w, encodedSuccessResponse)
}

// ListBucketsHandler - GET Service.
// -----------
// This implementation of the GET operation returns a list of all buckets
// owned by the authenticated sender of the request.
func (api objectAPIHandlers) ListBucketsHandler(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "ListBuckets")

	defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r))