in handling your report.

Please, provide a detailed explanation of the issue. In particular, outline the type of the security
issue (DoS, authentication bypass, information disclose, ...) and the assumptions you're making (e.g. do
you need access credentials for a successful exploit).

	defer uploadsCancel()

	objNamePrefix := pathJoin(speedTest, mustGetUUID())

	userMetadata := make(map[string]string)
	userMetadata[globalObjectPerfUserMetadata] = "true" // Bypass S3 API freeze
	popts := minio.PutObjectOptions{
		UserMetadata:         userMetadata,
		DisableContentSha256: !opts.enableSha256,
		DisableMultipart:     !opts.enableMultipart,
	}

	clnt := globalMinioClient

# - MSYS2 + curl, git, patch, vim, unzip, zip
# - Python 3.9 - 3.13
# - Bazelisk 1.22.1
# - JDK 21 (Azul Zulu)

FROM mcr.microsoft.com/windows/servercore:ltsc2022

SHELL ["powershell.exe", "-ExecutionPolicy", "Bypass", "-Command", \
       "$ErrorActionPreference='Stop'; $ProgressPreference='SilentlyContinue';$VerbosePreference = 'Continue';"]

# Enable long paths

        KerberosKey kdcKey = new KerberosKey(null, keyBytes, PacSignature.HMAC_SHA1_96_AES256, 1);
        keys.put(PacSignature.ETYPE_AES256_CTS_HMAC_SHA1_96, kdcKey);

        // Mock Pac construction to bypass complex validation
        try (MockedConstruction<Pac> pacMock = Mockito.mockConstruction(Pac.class, (mock, context) -> {
            // Setup mock behavior
            PacLogonInfo mockLogonInfo = Mockito.mock(PacLogonInfo.class);

 * authentication context without requiring users to explicitly enter credentials.
 *
 * The authenticator supports various configuration options including delegation,
 * basic authentication fallback, and localhost authentication bypass.
 */
public class SpnegoAuthenticator implements SsoAuthenticator {

    /** Logger for this class. */
    private static final Logger logger = LogManager.getLogger(SpnegoAuthenticator.class);

	globalNetPerfRX              netPerfRX
	globalSiteNetPerfRX          netPerfRX
	globalObjectPerfBucket       = "minio-perf-test-tmp-bucket"
	globalObjectPerfUserMetadata = "X-Amz-Meta-Minio-Object-Perf" // Clients can set this to bypass S3 API service freeze. Used by object pref tests.

	// MinIO version unix timestamp
	globalVersionUnix uint64

	// MinIO client
	globalMinioClient *minio.Client

    /**
     * Reserve an opportunistic lock filter on the open
     */
    public static final int FILE_RESERVE_OPFILTER = 0x100000;
    /**
     * Open a reparse point and bypass normal reparse point processing
     */
    public static final int FILE_OPEN_REPARSE_POINT = 0x200000;
    /**
     * Open does not cause an opportunistic lock break for the file
     */

	os.Setenv("CONSOLE_PBKDF_PASSPHRASE", globalDeploymentID())
	if globalMinioEndpoint != "" {
		os.Setenv("CONSOLE_MINIO_SERVER", globalMinioEndpoint)
	} else {
		// Explicitly set 127.0.0.1 so Console will automatically bypass TLS verification to the local S3 API.
		// This will save users from providing a certificate with IP or FQDN SAN that points to the local host.

	// uncompressed expected content.
	// If content is very large, an alternative to setting Content or File
	// is to set Size, which will then be checked against the header-reported size
	// but will bypass the decompressing of the actual data.
	// This last option is used for testing very large (multi-GB) compressed files.
	ContentErr error
	Content    []byte
	File       string
	Size       uint64
}

  - [Changelog since v1.33.1](#changelog-since-v1331)
  - [Important Security Information](#important-security-information-1)
    - [CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks](#cve-2025-4563-nodes-can-bypass-dynamic-resource-allocation-authorization-checks)
  - [Changes by Kind](#changes-by-kind-2)
    - [Feature](#feature-1)
    - [Bug or Regression](#bug-or-regression-2)