{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"error","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"error","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T19:14:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T19:14:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54634","PortSpecifier":{"PortValue":54634}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54634","PortSpecifier":{"PortValue":54634}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205306,"nanos":679515026},"http":{"id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205606,"groups":["Engineering","Project-Alpha"],"iat":1781205306,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ff275dcf-711e-8632-5080-9480cad669f5","preferred_username":"alice_lead","scope":"email profile","sid":"NsnuqeZikfKkyifgXWyEnwju","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205606,"groups":["Engineering","Project-Alpha"],"iat":1781205306,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ff275dcf-711e-8632-5080-9480cad669f5","preferred_username":"alice_lead","scope":"email profile","sid":"NsnuqeZikfKkyifgXWyEnwju","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fe6144f8-9693-46d7-a6cc-b8875c5b4084","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54648","PortSpecifier":{"PortValue":54648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54648","PortSpecifier":{"PortValue":54648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205306,"nanos":786066581},"http":{"id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a4f376f-fad5-9ba9-b852-ce269443ef1b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54664","PortSpecifier":{"PortValue":54664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54664","PortSpecifier":{"PortValue":54664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205306,"nanos":856522877},"http":{"id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.16","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.16","x-forwarded-host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"caf80169-c6f7-4233-8e22-eb4dc3e3336b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54680","PortSpecifier":{"PortValue":54680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54680","PortSpecifier":{"PortValue":54680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205306,"nanos":878135137},"http":{"id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.16","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.16","x-forwarded-host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T19:15:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"797a4372-cec4-4e53-bcb6-3cc1f598cea4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbca00d7-5156-477a-85b4-be559aa19195","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54684","PortSpecifier":{"PortValue":54684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dbca00d7-5156-477a-85b4-be559aa19195","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbca00d7-5156-477a-85b4-be559aa19195","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54684","PortSpecifier":{"PortValue":54684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":233878714},"http":{"id":"dbca00d7-5156-477a-85b4-be559aa19195","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Site-Reliability"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:129e75f9-6095-0ea3-46d8-e17cf788534a","preferred_username":"bob_sre","scope":"email profile","sid":"fjA59v8Qoi9lHvtXkTmetsch","sub":"5e3d1501-d48d-430b-aaec-cb12ec0993f5","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dbca00d7-5156-477a-85b4-be559aa19195","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Site-Reliability"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:129e75f9-6095-0ea3-46d8-e17cf788534a","preferred_username":"bob_sre","scope":"email profile","sid":"fjA59v8Qoi9lHvtXkTmetsch","sub":"5e3d1501-d48d-430b-aaec-cb12ec0993f5","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbca00d7-5156-477a-85b4-be559aa19195","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbca00d7-5156-477a-85b4-be559aa19195","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbca00d7-5156-477a-85b4-be559aa19195","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54696","PortSpecifier":{"PortValue":54696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54696","PortSpecifier":{"PortValue":54696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":446279212},"http":{"id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:69c33177-bab9-e27a-9b70-64557aa9b74b","preferred_username":"alice_lead","scope":"email profile","sid":"mXw46b2mUsPKIbPSxp3wnPUL","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:69c33177-bab9-e27a-9b70-64557aa9b74b","preferred_username":"alice_lead","scope":"email profile","sid":"mXw46b2mUsPKIbPSxp3wnPUL","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"95ffa80b-4824-4bc7-b8fb-8a87fb9771f7","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54704","PortSpecifier":{"PortValue":54704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c060e4e6-749f-4356-be25-d8d882b9ea64","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54704","PortSpecifier":{"PortValue":54704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":478904336},"http":{"id":"c060e4e6-749f-4356-be25-d8d882b9ea64","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ\"}"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c060e4e6-749f-4356-be25-d8d882b9ea64","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fae4107-6752-4671-8527-4c998dde13bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8fae4107-6752-4671-8527-4c998dde13bc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fae4107-6752-4671-8527-4c998dde13bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":497314507},"http":{"id":"8fae4107-6752-4671-8527-4c998dde13bc","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ\"}"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8fae4107-6752-4671-8527-4c998dde13bc","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.47","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.47","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"8fae4107-6752-4671-8527-4c998dde13bc"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"8fae4107-6752-4671-8527-4c998dde13bc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":497314507,"seconds":1781205307},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.47:41440","port":41440}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fae4107-6752-4671-8527-4c998dde13bc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ec883235-df3e-4079-ae08-4a3dc565de3f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fae4107-6752-4671-8527-4c998dde13bc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fae4107-6752-4671-8527-4c998dde13bc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54716","PortSpecifier":{"PortValue":54716}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"01a33338-fd2f-4d7d-ba74-ab286010c990","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54716","PortSpecifier":{"PortValue":54716}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":532482745},"http":{"id":"01a33338-fd2f-4d7d-ba74-ab286010c990","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-164qAPNbFkGOl9oE6_NXWho2fLuE71vLCeFTyxndB1v1AO7DPHDc5onorlVzJ\"}"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ec883235-df3e-4079-ae08-4a3dc565de3f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"01a33338-fd2f-4d7d-ba74-ab286010c990","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54724","PortSpecifier":{"PortValue":54724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54724","PortSpecifier":{"PortValue":54724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":639189039},"http":{"id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d912c6a-516d-1a74-90bc-d45d4bb35843","preferred_username":"alice_lead","scope":"email profile","sid":"ld8lsBE9GAFj5vBt_OnPixuI","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d912c6a-516d-1a74-90bc-d45d4bb35843","preferred_username":"alice_lead","scope":"email profile","sid":"ld8lsBE9GAFj5vBt_OnPixuI","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f73665a2-e152-40cf-bb7d-b89db79a1f2a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54738","PortSpecifier":{"PortValue":54738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"67902d08-0d89-48d5-bb99-ab528d846bf6","method":"DELETE","path":"/maas-api/v1/api-keys/8dfc6e0c-937a-4cb5-a732-11a228da2d97","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54738","PortSpecifier":{"PortValue":54738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205307,"nanos":668901905},"http":{"id":"67902d08-0d89-48d5-bb99-ab528d846bf6","method":"DELETE","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8dfc6e0c-937a-4cb5-a732-11a228da2d97",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d912c6a-516d-1a74-90bc-d45d4bb35843","preferred_username":"alice_lead","scope":"email profile","sid":"ld8lsBE9GAFj5vBt_OnPixuI","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205607,"groups":["Engineering","Project-Alpha"],"iat":1781205307,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d912c6a-516d-1a74-90bc-d45d4bb35843","preferred_username":"alice_lead","scope":"email profile","sid":"ld8lsBE9GAFj5vBt_OnPixuI","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8dfc6e0c-937a-4cb5-a732-11a228da2d97",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67902d08-0d89-48d5-bb99-ab528d846bf6","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54748","PortSpecifier":{"PortValue":54748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"295768e3-d3d3-4e84-8b26-b568358d1903","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54748","PortSpecifier":{"PortValue":54748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205310,"nanos":703943650},"http":{"id":"295768e3-d3d3-4e84-8b26-b568358d1903","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-nqBnRu9XwQfCydn4_uAytggpO1y0WMhA60wfjdsiZ3pmr12zNXcfszNBcNe0"}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-nqBnRu9XwQfCydn4_uAytggpO1y0WMhA60wfjdsiZ3pmr12zNXcfszNBcNe0\"}"}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"295768e3-d3d3-4e84-8b26-b568358d1903","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54762","PortSpecifier":{"PortValue":54762}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54762","PortSpecifier":{"PortValue":54762}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205310,"nanos":831424214},"http":{"id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6aaf4ece-3ff3-447f-8a2b-efc6dad558bd","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54774","PortSpecifier":{"PortValue":54774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54774","PortSpecifier":{"PortValue":54774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205310,"nanos":996125268},"http":{"id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205610,"groups":["Engineering","Project-Alpha"],"iat":1781205310,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:907eb684-21af-803e-abc8-519108247397","preferred_username":"alice_lead","scope":"email profile","sid":"8PEDNrH72FaXXHRD0ySbMdGf","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205610,"groups":["Engineering","Project-Alpha"],"iat":1781205310,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:907eb684-21af-803e-abc8-519108247397","preferred_username":"alice_lead","scope":"email profile","sid":"8PEDNrH72FaXXHRD0ySbMdGf","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ca70bd84-9360-4a6f-a43a-9a88c75a3762","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54776","PortSpecifier":{"PortValue":54776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54776","PortSpecifier":{"PortValue":54776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":29791938},"http":{"id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205610,"groups":["Site-Reliability"],"iat":1781205310,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5b7fde23-3176-56ad-a568-46d4f4a135f9","preferred_username":"bob_sre","scope":"email profile","sid":"_ZHuMaTCfjRMWBKbyeWmm-z0","sub":"5e3d1501-d48d-430b-aaec-cb12ec0993f5","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205610,"groups":["Site-Reliability"],"iat":1781205310,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5b7fde23-3176-56ad-a568-46d4f4a135f9","preferred_username":"bob_sre","scope":"email profile","sid":"_ZHuMaTCfjRMWBKbyeWmm-z0","sub":"5e3d1501-d48d-430b-aaec-cb12ec0993f5","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8e5cbb3-bfd7-4b50-a983-38a4e8235c19","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54792","PortSpecifier":{"PortValue":54792}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54792","PortSpecifier":{"PortValue":54792}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":134189228},"http":{"id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b18ec414-c3e6-49db-95c8-20bf8902eecf","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54802","PortSpecifier":{"PortValue":54802}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c6c42f84-8185-48ef-874a-19f78c89267e","method":"DELETE","path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54802","PortSpecifier":{"PortValue":54802}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":161483008},"http":{"id":"c6c42f84-8185-48ef-874a-19f78c89267e","method":"DELETE","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6c42f84-8185-48ef-874a-19f78c89267e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"61b80991-8355-4959-a200-b3caf1be085e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54812","PortSpecifier":{"PortValue":54812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"61b80991-8355-4959-a200-b3caf1be085e","method":"DELETE","path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"61b80991-8355-4959-a200-b3caf1be085e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54812","PortSpecifier":{"PortValue":54812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":187547176},"http":{"id":"61b80991-8355-4959-a200-b3caf1be085e","method":"DELETE","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"61b80991-8355-4959-a200-b3caf1be085e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e186d90-a812-2472-4890-a995939ef659","preferred_username":"alice_lead","scope":"email profile","sid":"eMQ73odiYFHbno3xIVRkxF0s","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d92ee935-eaca-49ee-a387-18cb566ccc00",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61b80991-8355-4959-a200-b3caf1be085e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"61b80991-8355-4959-a200-b3caf1be085e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"61b80991-8355-4959-a200-b3caf1be085e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54820","PortSpecifier":{"PortValue":54820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"90d0070b-9349-452e-9fc6-0985fb25f07e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54820","PortSpecifier":{"PortValue":54820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":281316474},"http":{"id":"90d0070b-9349-452e-9fc6-0985fb25f07e","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:582d6347-fc51-be7d-bd72-7dee66fa19fa","preferred_username":"alice_lead","scope":"email profile","sid":"KjWSLfWfLOkQNeWNTpwLorfh","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:582d6347-fc51-be7d-bd72-7dee66fa19fa","preferred_username":"alice_lead","scope":"email profile","sid":"KjWSLfWfLOkQNeWNTpwLorfh","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"90d0070b-9349-452e-9fc6-0985fb25f07e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54828","PortSpecifier":{"PortValue":54828}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54828","PortSpecifier":{"PortValue":54828}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":317375529},"http":{"id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-36EQr1zZQN7cgvQ5_ni4ngn54tcPYWnKiIvwnIgwKOoDgqPtTBGTGVhItPGf"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-36EQr1zZQN7cgvQ5_ni4ngn54tcPYWnKiIvwnIgwKOoDgqPtTBGTGVhItPGf\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"18aa8250-85e5-4a26-8671-37f179c2cc3e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"123b3735-d156-4902-af5e-9ec6a305d291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"123b3735-d156-4902-af5e-9ec6a305d291","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"123b3735-d156-4902-af5e-9ec6a305d291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":324016622},"http":{"id":"123b3735-d156-4902-af5e-9ec6a305d291","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-36EQr1zZQN7cgvQ5_ni4ngn54tcPYWnKiIvwnIgwKOoDgqPtTBGTGVhItPGf"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-36EQr1zZQN7cgvQ5_ni4ngn54tcPYWnKiIvwnIgwKOoDgqPtTBGTGVhItPGf\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"123b3735-d156-4902-af5e-9ec6a305d291","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-36EQr1zZQN7cgvQ5_ni4ngn54tcPYWnKiIvwnIgwKOoDgqPtTBGTGVhItPGf","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.47","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.47","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"123b3735-d156-4902-af5e-9ec6a305d291"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"123b3735-d156-4902-af5e-9ec6a305d291","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":324016622,"seconds":1781205311},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.47:41440","port":41440}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"123b3735-d156-4902-af5e-9ec6a305d291","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9ddd664b-0a7d-451a-89de-6acbdca0f85e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"123b3735-d156-4902-af5e-9ec6a305d291","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"123b3735-d156-4902-af5e-9ec6a305d291","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54840","PortSpecifier":{"PortValue":54840}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54840","PortSpecifier":{"PortValue":54840}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":414056585},"http":{"id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31b8915f-1d36-d63f-cdcf-7210d3956bf7","preferred_username":"alice_lead","scope":"email profile","sid":"Vy1Oikvh29apVVGkCol5hoMD","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31b8915f-1d36-d63f-cdcf-7210d3956bf7","preferred_username":"alice_lead","scope":"email profile","sid":"Vy1Oikvh29apVVGkCol5hoMD","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c090568b-7bfa-407f-ac5c-420bd61aeeb8","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54844","PortSpecifier":{"PortValue":54844}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54844","PortSpecifier":{"PortValue":54844}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":442883014},"http":{"id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1528833e-9f85-4ab5-bc48-a3b4bedcaa87","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54856","PortSpecifier":{"PortValue":54856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54856","PortSpecifier":{"PortValue":54856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":472564851},"http":{"id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d177fe6-845b-4e34-b131-3fd35ca4b232","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":479776860},"http":{"id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-RifdnnUysMLdTjDF_AfpFghOJeQfZNKD44doPCBRlAK7ywoKq0aZC6QN85yS","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.47","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.47","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":479776860,"seconds":1781205311},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.47:41440","port":41440}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"1e22f573-4563-40a6-857c-332eb98e7f33","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f0ab1ff3-e3b0-4d0e-a187-a81a6ce93fa3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54858","PortSpecifier":{"PortValue":54858}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"979f836b-505d-4345-8a4e-f4f1d1355630","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54858","PortSpecifier":{"PortValue":54858}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":578612102},"http":{"id":"979f836b-505d-4345-8a4e-f4f1d1355630","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:22ddf276-b52e-3236-d982-d906748075ac","preferred_username":"alice_lead","scope":"email profile","sid":"4I_2s_dZln0fx6Pb8PIsKSaM","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:22ddf276-b52e-3236-d982-d906748075ac","preferred_username":"alice_lead","scope":"email profile","sid":"4I_2s_dZln0fx6Pb8PIsKSaM","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"979f836b-505d-4345-8a4e-f4f1d1355630","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54868","PortSpecifier":{"PortValue":54868}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54868","PortSpecifier":{"PortValue":54868}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":607054837},"http":{"id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0d7a3de0-b0a4-4ff0-8067-c1607c474c2e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aa68edde-b473-47d1-9376-44f3ead82085","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"aa68edde-b473-47d1-9376-44f3ead82085","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aa68edde-b473-47d1-9376-44f3ead82085","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":613897770},"http":{"id":"aa68edde-b473-47d1-9376-44f3ead82085","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"aa68edde-b473-47d1-9376-44f3ead82085","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.47","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.47","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"aa68edde-b473-47d1-9376-44f3ead82085"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"aa68edde-b473-47d1-9376-44f3ead82085","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":613897770,"seconds":1781205311},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.47:41440","port":41440}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa68edde-b473-47d1-9376-44f3ead82085","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"443f0e47-1a4d-4df1-ba42-e4a29cf3a1d0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aa68edde-b473-47d1-9376-44f3ead82085","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aa68edde-b473-47d1-9376-44f3ead82085","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54884","PortSpecifier":{"PortValue":54884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:54884","PortSpecifier":{"PortValue":54884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":643678573},"http":{"id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","method":"GET","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a23f9c33-9e99-40fc-b7d7-86c2b936156e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.47:41440","PortSpecifier":{"PortValue":41440}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":651140831},"http":{"id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-Q3pnv0W5U1Iqer2W_1NXSHqfADFRtOLoFv62dwPqW5rOlLqEPxqCx1Omoghv","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.47","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcXM0ZjQKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.33~maas-default-gateway-openshift-default-687ff6996-qs4f4.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.47","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":651140831,"seconds":1781205311},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.47:41440","port":41440}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"443f0e47-1a4d-4df1-ba42-e4a29cf3a1d0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"24ec9a2d-25a5-4d2f-a45d-0e84e90d9086","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:37574","PortSpecifier":{"PortValue":37574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"46b992dc-be94-4c1c-9eea-853bc0c71613","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.16:37574","PortSpecifier":{"PortValue":37574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781205311,"nanos":749283675},"http":{"id":"46b992dc-be94-4c1c-9eea-853bc0c71613","method":"POST","headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f86210c1-0144-be70-8955-78c0c6c21be0","preferred_username":"alice_lead","scope":"email profile","sid":"yR2XVoJrtqtiPnBaCraYg40b","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781205611,"groups":["Engineering","Project-Alpha"],"iat":1781205311,"iss":"https://keycloak.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f86210c1-0144-be70-8955-78c0c6c21be0","preferred_username":"alice_lead","scope":"email profile","sid":"yR2XVoJrtqtiPnBaCraYg40b","sub":"3d15beb9-28e0-4c96-b0e1-80a1a1abff3c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e08edb4b-7b9e-4909-8877-5600f6e4ef3c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T19:15:11Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b992dc-be94-4c1c-9eea-853bc0c71613","authorized":true,"response":"OK"}