{"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T20:48:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"error","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-12T20:48:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57380","PortSpecifier":{"PortValue":57380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57380","PortSpecifier":{"PortValue":57380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297355,"nanos":557903285},"http":{"id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297655,"groups":["Engineering","Project-Alpha"],"iat":1781297355,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:187e092b-5840-2140-e08d-e0763cfe7d9d","preferred_username":"alice_lead","scope":"profile email","sid":"UQVTeliOJoKser1ix-BN3Q8e","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297655,"groups":["Engineering","Project-Alpha"],"iat":1781297355,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:187e092b-5840-2140-e08d-e0763cfe7d9d","preferred_username":"alice_lead","scope":"profile email","sid":"UQVTeliOJoKser1ix-BN3Q8e","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3d7692c-64e4-44dd-8bc4-2c28b05898a5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57396","PortSpecifier":{"PortValue":57396}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57396","PortSpecifier":{"PortValue":57396}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297355,"nanos":739085334},"http":{"id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65b7cad6-0019-49d0-8244-d9a72a90a3bf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57400","PortSpecifier":{"PortValue":57400}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57400","PortSpecifier":{"PortValue":57400}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297355,"nanos":802308340},"http":{"id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.12","x-forwarded-host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9"},"path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a15a531-c3cf-4cd6-8d9f-b6a92247b7d9","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57408","PortSpecifier":{"PortValue":57408}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57408","PortSpecifier":{"PortValue":57408}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297355,"nanos":832096350},"http":{"id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.12","x-forwarded-host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"a5f19a4f-3051-4a41-9283-cda5c65966bc"},"path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T20:49:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5f19a4f-3051-4a41-9283-cda5c65966bc","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4916db17-6271-4037-b04c-3b81d3192dff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57410","PortSpecifier":{"PortValue":57410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4916db17-6271-4037-b04c-3b81d3192dff","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4916db17-6271-4037-b04c-3b81d3192dff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57410","PortSpecifier":{"PortValue":57410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297356,"nanos":497604515},"http":{"id":"4916db17-6271-4037-b04c-3b81d3192dff","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297656,"groups":["Site-Reliability"],"iat":1781297356,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5f706481-4400-b19d-3928-cba5b176b7ea","preferred_username":"bob_sre","scope":"profile email","sid":"7pPH3N2RAlDItSIGG6QWRRVl","sub":"1b7ea831-6212-4bbe-a5f5-b75ad022cf49","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4916db17-6271-4037-b04c-3b81d3192dff","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297656,"groups":["Site-Reliability"],"iat":1781297356,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5f706481-4400-b19d-3928-cba5b176b7ea","preferred_username":"bob_sre","scope":"profile email","sid":"7pPH3N2RAlDItSIGG6QWRRVl","sub":"1b7ea831-6212-4bbe-a5f5-b75ad022cf49","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4916db17-6271-4037-b04c-3b81d3192dff","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4916db17-6271-4037-b04c-3b81d3192dff","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4916db17-6271-4037-b04c-3b81d3192dff","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57426","PortSpecifier":{"PortValue":57426}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57426","PortSpecifier":{"PortValue":57426}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297356,"nanos":888458905},"http":{"id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297656,"groups":["Engineering","Project-Alpha"],"iat":1781297356,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f17f3547-0183-387b-5bc9-022eebd73faf","preferred_username":"alice_lead","scope":"profile email","sid":"bs9C7Twuk0Yob6COfqzHVzy6","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297656,"groups":["Engineering","Project-Alpha"],"iat":1781297356,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f17f3547-0183-387b-5bc9-022eebd73faf","preferred_username":"alice_lead","scope":"profile email","sid":"bs9C7Twuk0Yob6COfqzHVzy6","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b5638589-b6a8-4b87-b1dc-40b5456f4daf","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57428","PortSpecifier":{"PortValue":57428}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57428","PortSpecifier":{"PortValue":57428}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297356,"nanos":921308425},"http":{"id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD\"}"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d2ec40b1-7a74-472d-a5d3-b97e5a69ca5d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"647e4d64-5207-44cc-b967-cb70d715efd5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297356,"nanos":940905410},"http":{"id":"647e4d64-5207-44cc-b967-cb70d715efd5","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD\"}"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.53","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.53","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"647e4d64-5207-44cc-b967-cb70d715efd5"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"647e4d64-5207-44cc-b967-cb70d715efd5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":940905410,"seconds":1781297356},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.53:45956","port":45956}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"4f63885f-0c65-42c6-b2de-4a7d223a25d3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"647e4d64-5207-44cc-b967-cb70d715efd5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57434","PortSpecifier":{"PortValue":57434}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57434","PortSpecifier":{"PortValue":57434}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297356,"nanos":974163358},"http":{"id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1I9okw4UYAOX9RXG1_LkVHqqMRq03bWnC2C9ZJeamfZceVQQSDA7sBHJzAdSD\"}"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"4f63885f-0c65-42c6-b2de-4a7d223a25d3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"222e14b0-8538-4e8a-9b6d-7b7b94812d05","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57438","PortSpecifier":{"PortValue":57438}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1cbbb4ff-ec49-4815-b149-7712c169991e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57438","PortSpecifier":{"PortValue":57438}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297357,"nanos":125690060},"http":{"id":"1cbbb4ff-ec49-4815-b149-7712c169991e","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297657,"groups":["Engineering","Project-Alpha"],"iat":1781297357,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0f73c025-a33d-09e5-41e0-dc97de7bb119","preferred_username":"alice_lead","scope":"profile email","sid":"HIPL3ZGaDo4uKpCYknf4dERU","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297657,"groups":["Engineering","Project-Alpha"],"iat":1781297357,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0f73c025-a33d-09e5-41e0-dc97de7bb119","preferred_username":"alice_lead","scope":"profile email","sid":"HIPL3ZGaDo4uKpCYknf4dERU","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1cbbb4ff-ec49-4815-b149-7712c169991e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57440","PortSpecifier":{"PortValue":57440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"569a4247-d539-9a65-bc78-ba835f363f7e","method":"DELETE","path":"/maas-api/v1/api-keys/83a3b3ed-0c40-46a4-857f-5ab396bb66b2","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57440","PortSpecifier":{"PortValue":57440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297357,"nanos":157437109},"http":{"id":"569a4247-d539-9a65-bc78-ba835f363f7e","method":"DELETE","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/83a3b3ed-0c40-46a4-857f-5ab396bb66b2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297657,"groups":["Engineering","Project-Alpha"],"iat":1781297357,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0f73c025-a33d-09e5-41e0-dc97de7bb119","preferred_username":"alice_lead","scope":"profile email","sid":"HIPL3ZGaDo4uKpCYknf4dERU","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297657,"groups":["Engineering","Project-Alpha"],"iat":1781297357,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0f73c025-a33d-09e5-41e0-dc97de7bb119","preferred_username":"alice_lead","scope":"profile email","sid":"HIPL3ZGaDo4uKpCYknf4dERU","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/83a3b3ed-0c40-46a4-857f-5ab396bb66b2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"569a4247-d539-9a65-bc78-ba835f363f7e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57456","PortSpecifier":{"PortValue":57456}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57456","PortSpecifier":{"PortValue":57456}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":192636093},"http":{"id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dKHzJOoJOr20yGr9_lrxe8qupm4ouO09wwu66THDfx5UJWdv5HZclwndVW5Y"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dKHzJOoJOr20yGr9_lrxe8qupm4ouO09wwu66THDfx5UJWdv5HZclwndVW5Y\"}"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc7bda54-f28b-4ce2-a44a-0a50746c7d86","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e7774913-5304-4122-ad0f-4d64e632945a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57468","PortSpecifier":{"PortValue":57468}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e7774913-5304-4122-ad0f-4d64e632945a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e7774913-5304-4122-ad0f-4d64e632945a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57468","PortSpecifier":{"PortValue":57468}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":394596493},"http":{"id":"e7774913-5304-4122-ad0f-4d64e632945a","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e7774913-5304-4122-ad0f-4d64e632945a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e7774913-5304-4122-ad0f-4d64e632945a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e7774913-5304-4122-ad0f-4d64e632945a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e7774913-5304-4122-ad0f-4d64e632945a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e7774913-5304-4122-ad0f-4d64e632945a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57484","PortSpecifier":{"PortValue":57484}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"78421d13-4241-4bbe-8298-afb87eb459bb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57484","PortSpecifier":{"PortValue":57484}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":667530079},"http":{"id":"78421d13-4241-4bbe-8298-afb87eb459bb","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:555b4aba-ac00-407f-3acc-3f91b95560c2","preferred_username":"alice_lead","scope":"profile email","sid":"FFrzniSUYw6R6gjIrk-3GAz_","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:555b4aba-ac00-407f-3acc-3f91b95560c2","preferred_username":"alice_lead","scope":"profile email","sid":"FFrzniSUYw6R6gjIrk-3GAz_","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"78421d13-4241-4bbe-8298-afb87eb459bb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57494","PortSpecifier":{"PortValue":57494}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fd745e22-4fc6-4473-af54-283c10bf9310","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57494","PortSpecifier":{"PortValue":57494}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":700290112},"http":{"id":"fd745e22-4fc6-4473-af54-283c10bf9310","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Site-Reliability"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f1c0c3b2-7df5-51c4-ab21-d29792cd2c44","preferred_username":"bob_sre","scope":"profile email","sid":"8O4aAHXzVT5SrvWix9mOq3C7","sub":"1b7ea831-6212-4bbe-a5f5-b75ad022cf49","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Site-Reliability"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f1c0c3b2-7df5-51c4-ab21-d29792cd2c44","preferred_username":"bob_sre","scope":"profile email","sid":"8O4aAHXzVT5SrvWix9mOq3C7","sub":"1b7ea831-6212-4bbe-a5f5-b75ad022cf49","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd745e22-4fc6-4473-af54-283c10bf9310","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57496","PortSpecifier":{"PortValue":57496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57496","PortSpecifier":{"PortValue":57496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":852422655},"http":{"id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2b8eaec0-ee60-4895-9d40-a7a7cc3291ac","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57510","PortSpecifier":{"PortValue":57510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","method":"DELETE","path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57510","PortSpecifier":{"PortValue":57510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":880346143},"http":{"id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","method":"DELETE","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e67d92b7-d08e-4efa-9caa-21f1f2f23782","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57512","PortSpecifier":{"PortValue":57512}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7cc7313b-d698-45ea-a411-2eefa4180f58","method":"DELETE","path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57512","PortSpecifier":{"PortValue":57512}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297360,"nanos":908980552},"http":{"id":"7cc7313b-d698-45ea-a411-2eefa4180f58","method":"DELETE","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297660,"groups":["Engineering","Project-Alpha"],"iat":1781297360,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d6c7428-5742-9f71-5c3e-4c48ee961e24","preferred_username":"alice_lead","scope":"profile email","sid":"drjJhkdTtekuwT0ZsFhQj5vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/305f3f2f-bf22-4a69-9e55-ae2f3e48af41",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7cc7313b-d698-45ea-a411-2eefa4180f58","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57528","PortSpecifier":{"PortValue":57528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57528","PortSpecifier":{"PortValue":57528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":57914169},"http":{"id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5b77a688-a72f-b6e0-4ecd-96234a6cbc5d","preferred_username":"alice_lead","scope":"profile email","sid":"odVWZ5DghrtJWy_w-rOyyhju","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5b77a688-a72f-b6e0-4ecd-96234a6cbc5d","preferred_username":"alice_lead","scope":"profile email","sid":"odVWZ5DghrtJWy_w-rOyyhju","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8556e37f-dddf-4a48-a35d-92a7f1c8897e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57534","PortSpecifier":{"PortValue":57534}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57534","PortSpecifier":{"PortValue":57534}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":86494823},"http":{"id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-xDvVLFQntR0WMuvY_m9M6InvnhFagXeNqHrnEmj0Rug3Py1fejbH4ruHhSmn"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-xDvVLFQntR0WMuvY_m9M6InvnhFagXeNqHrnEmj0Rug3Py1fejbH4ruHhSmn\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b03a1655-053d-475c-a50e-19e6a49a6ce9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0081923d-c77c-47c3-abaa-233404ac38b6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":93481877},"http":{"id":"0081923d-c77c-47c3-abaa-233404ac38b6","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-xDvVLFQntR0WMuvY_m9M6InvnhFagXeNqHrnEmj0Rug3Py1fejbH4ruHhSmn"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-xDvVLFQntR0WMuvY_m9M6InvnhFagXeNqHrnEmj0Rug3Py1fejbH4ruHhSmn\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-xDvVLFQntR0WMuvY_m9M6InvnhFagXeNqHrnEmj0Rug3Py1fejbH4ruHhSmn","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.53","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.53","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0081923d-c77c-47c3-abaa-233404ac38b6"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0081923d-c77c-47c3-abaa-233404ac38b6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":93481877,"seconds":1781297361},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.53:45956","port":45956}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"3d5a79e0-5036-48e0-8042-ce391f91c87f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0081923d-c77c-47c3-abaa-233404ac38b6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57548","PortSpecifier":{"PortValue":57548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57548","PortSpecifier":{"PortValue":57548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":248096776},"http":{"id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e70a8162-e41c-5b9c-f0e4-57defae56377","preferred_username":"alice_lead","scope":"profile email","sid":"Y4r-9zfHEaiX57gbaulzjYdL","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e70a8162-e41c-5b9c-f0e4-57defae56377","preferred_username":"alice_lead","scope":"profile email","sid":"Y4r-9zfHEaiX57gbaulzjYdL","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04f976c8-1ca7-4e89-a50d-35c448b171e8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57552","PortSpecifier":{"PortValue":57552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57552","PortSpecifier":{"PortValue":57552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":277238439},"http":{"id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64b4f325-24c1-40c3-83d5-34a7be1f4bba","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67ce0498-0f3a-4174-8056-8784c4335271","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57556","PortSpecifier":{"PortValue":57556}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"67ce0498-0f3a-4174-8056-8784c4335271","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67ce0498-0f3a-4174-8056-8784c4335271","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57556","PortSpecifier":{"PortValue":57556}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":303161030},"http":{"id":"67ce0498-0f3a-4174-8056-8784c4335271","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"67ce0498-0f3a-4174-8056-8784c4335271","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67ce0498-0f3a-4174-8056-8784c4335271","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67ce0498-0f3a-4174-8056-8784c4335271","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67ce0498-0f3a-4174-8056-8784c4335271","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":310163205},"http":{"id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-18rUsCNFO5o9PWsO3_NYKtGB1QN2UIsK7R73Exum7EWsZPbAfpPC6txgCXBFX","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.53","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.53","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":310163205,"seconds":1781297361},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.53:45956","port":45956}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f87a42c0-4c0c-455d-9f8a-0e44520a3760","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"099f75e4-da32-43b1-a7a2-f94b1f9048f1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7abf051b-721c-4287-9adf-4730128dc749","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57568","PortSpecifier":{"PortValue":57568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7abf051b-721c-4287-9adf-4730128dc749","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7abf051b-721c-4287-9adf-4730128dc749","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57568","PortSpecifier":{"PortValue":57568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":458472115},"http":{"id":"7abf051b-721c-4287-9adf-4730128dc749","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:97ce4546-4df5-e7a1-3f24-9f8c848a5a05","preferred_username":"alice_lead","scope":"profile email","sid":"Cjhi69ZsHIalmKeX-6x-Re9h","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7abf051b-721c-4287-9adf-4730128dc749","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:97ce4546-4df5-e7a1-3f24-9f8c848a5a05","preferred_username":"alice_lead","scope":"profile email","sid":"Cjhi69ZsHIalmKeX-6x-Re9h","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7abf051b-721c-4287-9adf-4730128dc749","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7abf051b-721c-4287-9adf-4730128dc749","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7abf051b-721c-4287-9adf-4730128dc749","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57572","PortSpecifier":{"PortValue":57572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b31fb483-6534-497b-9a12-6e56b2d359e4","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57572","PortSpecifier":{"PortValue":57572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":489268693},"http":{"id":"b31fb483-6534-497b-9a12-6e56b2d359e4","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b31fb483-6534-497b-9a12-6e56b2d359e4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":496273679},"http":{"id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.53","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.53","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":496273679,"seconds":1781297361},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.53:45956","port":45956}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e942b8d6-9f23-4222-a61f-851e585a6193","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8d05cc6-8d84-4f0a-8535-d27afc7ab5be","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57578","PortSpecifier":{"PortValue":57578}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57578","PortSpecifier":{"PortValue":57578}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":531338866},"http":{"id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","method":"GET","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"40f8d938-044b-48d4-b6ac-19ec3c118ef6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.53:45956","PortSpecifier":{"PortValue":45956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":537902688},"http":{"id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-zssccsJlRNOYJ8M4_TwEUFbkWhIZldk7rWfi7WfmyKBOeb6RhKFPmsdwflcD","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.53","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtemtibnAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-687ff6996-zkbnp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.53","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"acdbfda8-e260-476e-ac86-944e7e8a9e37"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":537902688,"seconds":1781297361},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.53:45956","port":45956}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e942b8d6-9f23-4222-a61f-851e585a6193","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"acdbfda8-e260-476e-ac86-944e7e8a9e37","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57580","PortSpecifier":{"PortValue":57580}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"838927c6-fabb-41dd-a43d-134b1a3805af","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57580","PortSpecifier":{"PortValue":57580}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781297361,"nanos":692878596},"http":{"id":"838927c6-fabb-41dd-a43d-134b1a3805af","method":"POST","headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:df4cfbaf-d0b6-4265-f7a2-ba571d3001ed","preferred_username":"alice_lead","scope":"profile email","sid":"YWEtwHN0x47TfJdzYwU-m2Vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781297661,"groups":["Engineering","Project-Alpha"],"iat":1781297361,"iss":"https://keycloak.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:df4cfbaf-d0b6-4265-f7a2-ba571d3001ed","preferred_username":"alice_lead","scope":"profile email","sid":"YWEtwHN0x47TfJdzYwU-m2Vk","sub":"2dfa9a1f-7657-49a4-93ee-21e12e1697cd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.c716503f-1e80-42d2-bcb7-d9acd9a18a02.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T20:49:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"838927c6-fabb-41dd-a43d-134b1a3805af","authorized":true,"response":"OK"}