{"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:24:12Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-12T19:24:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57796","PortSpecifier":{"PortValue":57796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57796","PortSpecifier":{"PortValue":57796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292279,"nanos":510323004},"http":{"id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292579,"groups":["Engineering","Project-Alpha"],"iat":1781292279,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42116223-9387-1fa1-27e0-167a0887f4e0","preferred_username":"alice_lead","scope":"profile email","sid":"iPj1TBiqonhdDwBGGRkbwmJs","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292579,"groups":["Engineering","Project-Alpha"],"iat":1781292279,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42116223-9387-1fa1-27e0-167a0887f4e0","preferred_username":"alice_lead","scope":"profile email","sid":"iPj1TBiqonhdDwBGGRkbwmJs","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9540740-bf2f-4bfc-8f5e-a6bf5513f6ca","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57798","PortSpecifier":{"PortValue":57798}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57798","PortSpecifier":{"PortValue":57798}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292279,"nanos":620349830},"http":{"id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70275bfd-f429-4c9d-bc96-52f9416aae9a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57808","PortSpecifier":{"PortValue":57808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57808","PortSpecifier":{"PortValue":57808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292279,"nanos":659371592},"http":{"id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.11","x-forwarded-host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"4d9e9050-abee-41db-a31a-dfb21e0722b8"},"path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d9e9050-abee-41db-a31a-dfb21e0722b8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2e259499-d0bb-4d28-848e-5808d3731f05","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57818","PortSpecifier":{"PortValue":57818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2e259499-d0bb-4d28-848e-5808d3731f05","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2e259499-d0bb-4d28-848e-5808d3731f05","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57818","PortSpecifier":{"PortValue":57818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292279,"nanos":685390718},"http":{"id":"2e259499-d0bb-4d28-848e-5808d3731f05","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.11","x-forwarded-host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"2e259499-d0bb-4d28-848e-5808d3731f05"},"path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2e259499-d0bb-4d28-848e-5808d3731f05","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:24:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2e259499-d0bb-4d28-848e-5808d3731f05","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57822","PortSpecifier":{"PortValue":57822}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57822","PortSpecifier":{"PortValue":57822}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":44320345},"http":{"id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Site-Reliability"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9a6de9ec-cc99-38ca-9ded-b3a0b23ad76e","preferred_username":"bob_sre","scope":"profile email","sid":"obYtGqfG2jBytgWGT2xLNr4c","sub":"8a505bd0-4e1b-43e7-8ca0-c01395e73579","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Site-Reliability"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9a6de9ec-cc99-38ca-9ded-b3a0b23ad76e","preferred_username":"bob_sre","scope":"profile email","sid":"obYtGqfG2jBytgWGT2xLNr4c","sub":"8a505bd0-4e1b-43e7-8ca0-c01395e73579","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2364b729-d9db-49cc-b0b6-f8f74f444e3a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57838","PortSpecifier":{"PortValue":57838}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57838","PortSpecifier":{"PortValue":57838}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":255104679},"http":{"id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:97ab091f-dd7e-3eb5-7ab5-496c13e70aa1","preferred_username":"alice_lead","scope":"profile email","sid":"BCox7rTKfSVQTOfhjdYwNiWD","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:97ab091f-dd7e-3eb5-7ab5-496c13e70aa1","preferred_username":"alice_lead","scope":"profile email","sid":"BCox7rTKfSVQTOfhjdYwNiWD","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed7b1957-f4e0-4dad-bb88-eddbe0267c3a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a08262f6-608a-4ab2-9388-72e10b320724","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57842","PortSpecifier":{"PortValue":57842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a08262f6-608a-4ab2-9388-72e10b320724","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a08262f6-608a-4ab2-9388-72e10b320724","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57842","PortSpecifier":{"PortValue":57842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":285892150},"http":{"id":"a08262f6-608a-4ab2-9388-72e10b320724","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR\"}"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a08262f6-608a-4ab2-9388-72e10b320724","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a08262f6-608a-4ab2-9388-72e10b320724","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a08262f6-608a-4ab2-9388-72e10b320724","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a08262f6-608a-4ab2-9388-72e10b320724","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":304107854},"http":{"id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR\"}"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"4365633a-32f1-4ee9-bc65-8726e96d86d6"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":304107854,"seconds":1781292280},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:41144","port":41144}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f7c10485-b129-4937-8db0-94a8a62303ee","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4365633a-32f1-4ee9-bc65-8726e96d86d6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57856","PortSpecifier":{"PortValue":57856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57856","PortSpecifier":{"PortValue":57856}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":338392247},"http":{"id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GSawu98wS4XXeOll_uiUPbObLWoJA1XiWw4xjwTW6kNI0d3FQKAkqL1g5wkR\"}"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f7c10485-b129-4937-8db0-94a8a62303ee","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc6467b7-fccc-4a09-ba9c-66b8595b06c6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57860","PortSpecifier":{"PortValue":57860}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57860","PortSpecifier":{"PortValue":57860}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":445548944},"http":{"id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6a6573f4-d698-f689-48d7-dbb1f5a47695","preferred_username":"alice_lead","scope":"profile email","sid":"1xnzdc5yEzPi7Gct3NGnYkHK","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6a6573f4-d698-f689-48d7-dbb1f5a47695","preferred_username":"alice_lead","scope":"profile email","sid":"1xnzdc5yEzPi7Gct3NGnYkHK","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2cf1f18-837f-4e43-80a2-095f7c9e8d06","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57866","PortSpecifier":{"PortValue":57866}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","method":"DELETE","path":"/maas-api/v1/api-keys/2f620308-011a-4929-a4b4-c137d696c20b","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:57866","PortSpecifier":{"PortValue":57866}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292280,"nanos":478303906},"http":{"id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","method":"DELETE","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/2f620308-011a-4929-a4b4-c137d696c20b",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6a6573f4-d698-f689-48d7-dbb1f5a47695","preferred_username":"alice_lead","scope":"profile email","sid":"1xnzdc5yEzPi7Gct3NGnYkHK","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292580,"groups":["Engineering","Project-Alpha"],"iat":1781292280,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6a6573f4-d698-f689-48d7-dbb1f5a47695","preferred_username":"alice_lead","scope":"profile email","sid":"1xnzdc5yEzPi7Gct3NGnYkHK","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/2f620308-011a-4929-a4b4-c137d696c20b",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:40Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"68372e3d-d23b-45f4-bf04-5bfe73ae81d8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36152","PortSpecifier":{"PortValue":36152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"713c65ef-ba50-4f68-b8b1-45979e199489","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36152","PortSpecifier":{"PortValue":36152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":513803412},"http":{"id":"713c65ef-ba50-4f68-b8b1-45979e199489","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1DVGZULf58hAqkgyz_4LBT88TuKsqLMRPzAHhSUdAGOAnjTFZmtrnx3cftmKl"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1DVGZULf58hAqkgyz_4LBT88TuKsqLMRPzAHhSUdAGOAnjTFZmtrnx3cftmKl\"}"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"713c65ef-ba50-4f68-b8b1-45979e199489","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36162","PortSpecifier":{"PortValue":36162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5d1d5370-7207-4a82-8a77-8bbc29406825","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36162","PortSpecifier":{"PortValue":36162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":661660859},"http":{"id":"5d1d5370-7207-4a82-8a77-8bbc29406825","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d1d5370-7207-4a82-8a77-8bbc29406825","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36174","PortSpecifier":{"PortValue":36174}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36174","PortSpecifier":{"PortValue":36174}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":829218928},"http":{"id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:32a25594-240c-b9a9-8c8e-9220284535b2","preferred_username":"alice_lead","scope":"profile email","sid":"JCGKG--FQEDtlE6-IgIkGYWP","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:32a25594-240c-b9a9-8c8e-9220284535b2","preferred_username":"alice_lead","scope":"profile email","sid":"JCGKG--FQEDtlE6-IgIkGYWP","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7eb169eb-99fc-46d1-bfe6-24657a86a01c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"df73d338-10a1-486c-99ac-d3693ff85336","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36182","PortSpecifier":{"PortValue":36182}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"df73d338-10a1-486c-99ac-d3693ff85336","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"df73d338-10a1-486c-99ac-d3693ff85336","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36182","PortSpecifier":{"PortValue":36182}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":862052308},"http":{"id":"df73d338-10a1-486c-99ac-d3693ff85336","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Site-Reliability"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:995dac40-a5f1-1ce5-3d16-f2db86572c57","preferred_username":"bob_sre","scope":"profile email","sid":"d8ftPdyIWrZI1F9g92rkQy_Y","sub":"8a505bd0-4e1b-43e7-8ca0-c01395e73579","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"df73d338-10a1-486c-99ac-d3693ff85336","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Site-Reliability"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:995dac40-a5f1-1ce5-3d16-f2db86572c57","preferred_username":"bob_sre","scope":"profile email","sid":"d8ftPdyIWrZI1F9g92rkQy_Y","sub":"8a505bd0-4e1b-43e7-8ca0-c01395e73579","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"df73d338-10a1-486c-99ac-d3693ff85336","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"df73d338-10a1-486c-99ac-d3693ff85336","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"df73d338-10a1-486c-99ac-d3693ff85336","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36192","PortSpecifier":{"PortValue":36192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36192","PortSpecifier":{"PortValue":36192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":952219466},"http":{"id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"467bdda3-32ed-458e-b50d-feb82f3c9a6f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36204","PortSpecifier":{"PortValue":36204}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ff3ebed1-007f-48fe-950e-6b2548178170","method":"DELETE","path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36204","PortSpecifier":{"PortValue":36204}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292283,"nanos":980160723},"http":{"id":"ff3ebed1-007f-48fe-950e-6b2548178170","method":"DELETE","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:43Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff3ebed1-007f-48fe-950e-6b2548178170","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36210","PortSpecifier":{"PortValue":36210}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4d94eb24-fcb0-45d2-a637-9df122decb29","method":"DELETE","path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36210","PortSpecifier":{"PortValue":36210}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":13424991},"http":{"id":"4d94eb24-fcb0-45d2-a637-9df122decb29","method":"DELETE","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292583,"groups":["Engineering","Project-Alpha"],"iat":1781292283,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6635636d-d9da-9114-97d5-0d354b6c685a","preferred_username":"alice_lead","scope":"profile email","sid":"rQpoo0SI5Le6XHFphUGvkSG1","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e63c299e-431e-4720-841d-1c8d4c7a73da",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d94eb24-fcb0-45d2-a637-9df122decb29","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b50402ce-e581-4445-a537-5dab10231a4c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36222","PortSpecifier":{"PortValue":36222}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b50402ce-e581-4445-a537-5dab10231a4c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b50402ce-e581-4445-a537-5dab10231a4c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36222","PortSpecifier":{"PortValue":36222}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":108060298},"http":{"id":"b50402ce-e581-4445-a537-5dab10231a4c","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:91b33c51-71c6-1dea-5093-9a70fb7e3fe3","preferred_username":"alice_lead","scope":"profile email","sid":"ozrrWRl26l8Nwv6iJEqK5Eoj","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b50402ce-e581-4445-a537-5dab10231a4c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:91b33c51-71c6-1dea-5093-9a70fb7e3fe3","preferred_username":"alice_lead","scope":"profile email","sid":"ozrrWRl26l8Nwv6iJEqK5Eoj","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b50402ce-e581-4445-a537-5dab10231a4c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b50402ce-e581-4445-a537-5dab10231a4c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b50402ce-e581-4445-a537-5dab10231a4c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36236","PortSpecifier":{"PortValue":36236}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2805ed3-cc7f-456c-a35b-9549c796a126","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36236","PortSpecifier":{"PortValue":36236}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":136740450},"http":{"id":"c2805ed3-cc7f-456c-a35b-9549c796a126","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1aSKTHTRLCItPBLlC_QIiYnQRWuoe7FXZHemET4bwxau2orlEcLwh09gwjDTE"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1aSKTHTRLCItPBLlC_QIiYnQRWuoe7FXZHemET4bwxau2orlEcLwh09gwjDTE\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2805ed3-cc7f-456c-a35b-9549c796a126","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":144111515},"http":{"id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1aSKTHTRLCItPBLlC_QIiYnQRWuoe7FXZHemET4bwxau2orlEcLwh09gwjDTE"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1aSKTHTRLCItPBLlC_QIiYnQRWuoe7FXZHemET4bwxau2orlEcLwh09gwjDTE\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1aSKTHTRLCItPBLlC_QIiYnQRWuoe7FXZHemET4bwxau2orlEcLwh09gwjDTE","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":144111515,"seconds":1781292284},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:41144","port":41144}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e39a4941-1370-4554-9798-103b37d062fc","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0cd3ab25-fd00-4386-ac3f-9851f57d103d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36250","PortSpecifier":{"PortValue":36250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36250","PortSpecifier":{"PortValue":36250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":239323105},"http":{"id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:51122f66-119c-0fa4-6aa2-c986e28b8f8b","preferred_username":"alice_lead","scope":"profile email","sid":"14hmw737nUe6Et6_FSaIEP1r","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:51122f66-119c-0fa4-6aa2-c986e28b8f8b","preferred_username":"alice_lead","scope":"profile email","sid":"14hmw737nUe6Et6_FSaIEP1r","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae0b5358-70f1-410b-9de0-48a11699c5bb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36254","PortSpecifier":{"PortValue":36254}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6f6052fb-94dd-477f-8883-d661723b6e53","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36254","PortSpecifier":{"PortValue":36254}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":267509392},"http":{"id":"6f6052fb-94dd-477f-8883-d661723b6e53","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f6052fb-94dd-477f-8883-d661723b6e53","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36264","PortSpecifier":{"PortValue":36264}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36264","PortSpecifier":{"PortValue":36264}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":296551626},"http":{"id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c65cab8-48a9-4458-97c6-06d1e1f6434e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":304471170},"http":{"id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1MLU5o0An92Qcx8Yu_rT7RZQeFyaTWLrRTGDhHiUVREXf7m7H09FqIpjACV2a","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":304471170,"seconds":1781292284},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:41144","port":41144}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"8d3bfc02-7ddd-4a8b-932e-7bbc7cc32abc","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22639e6a-c6ee-4f22-bcfe-69896c4b69f8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36280","PortSpecifier":{"PortValue":36280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36280","PortSpecifier":{"PortValue":36280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":400421368},"http":{"id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:38d1d92a-ee28-b8c6-7e59-725e0f800df6","preferred_username":"alice_lead","scope":"profile email","sid":"MjgnPqMWRGK66NFHN-0pF245","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:38d1d92a-ee28-b8c6-7e59-725e0f800df6","preferred_username":"alice_lead","scope":"profile email","sid":"MjgnPqMWRGK66NFHN-0pF245","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3e9213b-8a81-4058-8842-ca1b1cffdb68","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36296","PortSpecifier":{"PortValue":36296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36296","PortSpecifier":{"PortValue":36296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":431648328},"http":{"id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a20ef47d-20b4-43da-8eec-e9beea9f9ed0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3f293179-dc1e-46af-a94a-5587d821b0f9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":439244299},"http":{"id":"3f293179-dc1e-46af-a94a-5587d821b0f9","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"3f293179-dc1e-46af-a94a-5587d821b0f9"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"3f293179-dc1e-46af-a94a-5587d821b0f9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":439244299,"seconds":1781292284},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:41144","port":41144}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2a03b7b4-9ebf-4604-a865-7154c4d40e5e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f293179-dc1e-46af-a94a-5587d821b0f9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36308","PortSpecifier":{"PortValue":36308}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36308","PortSpecifier":{"PortValue":36308}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":470897829},"http":{"id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","method":"GET","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f140253c-0b6b-4261-afb7-ba6e7c8ad57c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:41144","PortSpecifier":{"PortValue":41144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":477865947},"http":{"id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1MplXWGcnri4orXbU_gbdJiUB64nXHqzg6P2aQc8ETPOWOPaYtiivYEMz6zqy","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdHRwemIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.36~maas-default-gateway-openshift-default-687ff6996-ttpzb.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":477865947,"seconds":1781292284},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:41144","port":41144}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2a03b7b4-9ebf-4604-a865-7154c4d40e5e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85dffd9b-1ba4-4f72-aeb4-b6705a88f698","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"be908d38-a094-45d5-9df2-aed5b40af238","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36318","PortSpecifier":{"PortValue":36318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"be908d38-a094-45d5-9df2-aed5b40af238","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"be908d38-a094-45d5-9df2-aed5b40af238","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:36318","PortSpecifier":{"PortValue":36318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.36:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781292284,"nanos":581826643},"http":{"id":"be908d38-a094-45d5-9df2-aed5b40af238","method":"POST","headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aceffdba-1ab8-4458-02e6-99edf334875a","preferred_username":"alice_lead","scope":"profile email","sid":"Zl6TflyjgjDYOrA6rrRv3xBY","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"be908d38-a094-45d5-9df2-aed5b40af238","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781292584,"groups":["Engineering","Project-Alpha"],"iat":1781292284,"iss":"https://keycloak.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aceffdba-1ab8-4458-02e6-99edf334875a","preferred_username":"alice_lead","scope":"profile email","sid":"Zl6TflyjgjDYOrA6rrRv3xBY","sub":"20ebd653-964a-41f4-82f4-89c579fa7246","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.36:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.a51900df-d0fa-417d-aa47-3b5889ce8c19.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"be908d38-a094-45d5-9df2-aed5b40af238","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"be908d38-a094-45d5-9df2-aed5b40af238","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:24:44Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"be908d38-a094-45d5-9df2-aed5b40af238","authorized":true,"response":"OK"}