// Status is filled in by the server with the user attributes.
  optional SelfSubjectReviewStatus status = 2;
}

// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
message SelfSubjectReviewStatus {
  // User attributes of the user making this request.
  // +optional
  optional k8s.io.api.authentication.v1.UserInfo userInfo = 1;
}

  "full_name": "John Doe",
  "disabled": false
}
```

<img src="/img/tutorial/security/image09.png">

If you open the developer tools, you could see how the data sent only includes the token, the password is only sent in the first request to authenticate the user and get that access token, but not afterwards:

<img src="/img/tutorial/security/image10.png">

/// note

// If any of the supplied actions are allowed it will be successful.
// If nil ObjectLayer is returned, the operation is not permitted.
// When nil ObjectLayer has been returned an error has always been sent to w.
func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...policy.AdminAction) (ObjectLayer, auth.Credentials) {
	// Get current object layer instance.
	objectAPI := newObjectLayerFn()

func (listener *httpListener) start() {
	// Closure to send acceptResult to acceptCh.
	// It returns true if the result is sent else false if returns when doneCh is closed.
	send := func(result acceptResult) bool {
		select {
		case listener.acceptCh <- result:
			// Successfully written to acceptCh
			return true
		case <-listener.ctx.Done():

package cmd

import (
	"sort"
	"time"

	"github.com/minio/madmin-go/v3"
)

// BucketTargetUsageInfo - bucket target usage info provides
// - replicated size for all objects sent to this target
// - replica size for all objects received from this target
// - replication pending size for all objects pending replication to this target
// - replication failed size for all objects failed replication to this target

		"Number of failures in DELETE tagging requests proxied to replication target",
		bucketL)
)

// loadBucketReplicationMetrics - `BucketMetricsLoaderFn` for bucket replication metrics
// such as latency and sent bytes.
func loadBucketReplicationMetrics(ctx context.Context, m MetricValues, c *metricsCache, buckets []string) error {
	if globalSiteReplicationSys.isEnabled() {
		return nil
	}

 * does not participate in any [interceptors][Interceptor] or [event listeners][EventListener]. It
 * doesn't include the motivating request's HTTP headers or even its full URL; only the target
 * server's hostname is sent to the proxy.
 *
 * Prior to sending any CONNECT request OkHttp always calls the proxy authenticator so that it may
 * prepare preemptive authentication. OkHttp will call [authenticate] with a fake `HTTP/1.1 407

    public boolean verifySignature ( byte[] buffer, int i, int size ) {
        // observed too that signatures on error responses are sometimes wrong??
        // Looks like the failure case also is just reflecting back the signature we sent

        // with SMB3's negotiation validation it's no longer possible to ignore this (on the validation response)
        // make sure that validation is performed in any case
        Smb2SigningDigest dgst = getDigest();

	ActualSize int64

	// Checksum values
	ChecksumCRC32  string
	ChecksumCRC32C string
	ChecksumSHA1   string
	ChecksumSHA256 string
}

// CompletePart - represents the part that was completed, this is sent by the client
// during CompleteMultipartUpload request.
type CompletePart struct {
	// Part number identifying the part. This is a positive integer between 1 and
	// 10,000
	PartNumber int

		}
	}

	if metadata == nil {
		metadata = make(map[string]string)
	}

	wantCRC, err := hash.GetContentChecksum(hdr)
	if err != nil {
		return opts, fmt.Errorf("invalid/unknown checksum sent: %v", err)
	}
	etag := strings.TrimSpace(hdr.Get(xhttp.MinIOSourceETag))

	if crypto.S3KMS.IsRequested(hdr) {
		keyID, context, err := crypto.S3KMS.ParseHTTP(hdr)
		if err != nil {
			return ObjectOptions{}, err