{"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-16T20:27:00Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-16T20:27:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-16T20:27:01Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54970","PortSpecifier":{"PortValue":54970}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54970","PortSpecifier":{"PortValue":54970}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641672,"nanos":647159052},"http":{"id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641972,"groups":["Engineering","Project-Alpha"],"iat":1781641672,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:56d873aa-02fa-0833-1d5f-801d0c65a256","preferred_username":"alice_lead","scope":"profile email","sid":"tn1pPtMwyKJDav8xzB7X78a6","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641972,"groups":["Engineering","Project-Alpha"],"iat":1781641672,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:56d873aa-02fa-0833-1d5f-801d0c65a256","preferred_username":"alice_lead","scope":"profile email","sid":"tn1pPtMwyKJDav8xzB7X78a6","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e0f1efdb-4edd-4570-98d2-017a04c80fde","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54974","PortSpecifier":{"PortValue":54974}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54974","PortSpecifier":{"PortValue":54974}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641672,"nanos":826404291},"http":{"id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d5bef6b2-a8c3-490f-8648-4ed59ceb9291","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54990","PortSpecifier":{"PortValue":54990}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:54990","PortSpecifier":{"PortValue":54990}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641672,"nanos":903912342},"http":{"id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb"},"path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e4b3529d-7b2a-416f-b15f-d1418c8f21cb","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"48054736-6bc6-497b-92f3-6a7e125b291a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55006","PortSpecifier":{"PortValue":55006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"48054736-6bc6-497b-92f3-6a7e125b291a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"48054736-6bc6-497b-92f3-6a7e125b291a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55006","PortSpecifier":{"PortValue":55006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641672,"nanos":929316098},"http":{"id":"48054736-6bc6-497b-92f3-6a7e125b291a","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"48054736-6bc6-497b-92f3-6a7e125b291a"},"path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"48054736-6bc6-497b-92f3-6a7e125b291a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-16T20:27:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"48054736-6bc6-497b-92f3-6a7e125b291a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55008","PortSpecifier":{"PortValue":55008}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5896cba5-46ac-4707-afcf-4aaa88da22be","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55008","PortSpecifier":{"PortValue":55008}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641673,"nanos":578179456},"http":{"id":"5896cba5-46ac-4707-afcf-4aaa88da22be","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641973,"groups":["Site-Reliability"],"iat":1781641673,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:add4b33b-d83b-b01e-7230-2c2833fae201","preferred_username":"bob_sre","scope":"profile email","sid":"ZeWqB6MdoDgSbIVG8bLJ9dcS","sub":"a3e129a5-0f59-4ffb-845a-543472143032","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641973,"groups":["Site-Reliability"],"iat":1781641673,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:add4b33b-d83b-b01e-7230-2c2833fae201","preferred_username":"bob_sre","scope":"profile email","sid":"ZeWqB6MdoDgSbIVG8bLJ9dcS","sub":"a3e129a5-0f59-4ffb-845a-543472143032","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5896cba5-46ac-4707-afcf-4aaa88da22be","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55020","PortSpecifier":{"PortValue":55020}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"76cbe56f-b38c-4655-9725-67bec4e34b55","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55020","PortSpecifier":{"PortValue":55020}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641673,"nanos":971389739},"http":{"id":"76cbe56f-b38c-4655-9725-67bec4e34b55","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641973,"groups":["Engineering","Project-Alpha"],"iat":1781641673,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:74ca9898-c72f-1ad0-b4f0-872534d54f46","preferred_username":"alice_lead","scope":"profile email","sid":"Lf-TId8B3_5NaNzruIGG9CBI","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641973,"groups":["Engineering","Project-Alpha"],"iat":1781641673,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:74ca9898-c72f-1ad0-b4f0-872534d54f46","preferred_username":"alice_lead","scope":"profile email","sid":"Lf-TId8B3_5NaNzruIGG9CBI","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"76cbe56f-b38c-4655-9725-67bec4e34b55","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55030","PortSpecifier":{"PortValue":55030}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55030","PortSpecifier":{"PortValue":55030}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641674,"nanos":7209007},"http":{"id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4\"}"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","subscription":"simulator-subscription","tenant":"opendatahub","userId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65c7d59f-1e53-4245-aab4-16e8630eaeab","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641674,"nanos":35503777},"http":{"id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4\"}"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","subscription":"simulator-subscription","tenant":"opendatahub","userId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":35503777,"seconds":1781641674},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:33280","port":33280}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2f00508b-aa83-4ea7-aca4-7cf7f3723823","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55032","PortSpecifier":{"PortValue":55032}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55032","PortSpecifier":{"PortValue":55032}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641674,"nanos":74181335},"http":{"id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1aUh4j7vGP2TpJLqB_Mi19WNC7S17BwLz1Z9Kl5LtZJGDJwS65QWi9UeVPIB4\"}"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","subscription":"simulator-subscription","tenant":"opendatahub","userId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ea34baf9-2984-4268-9ccc-9b71a2ab492c","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1a9d946-83e5-43dd-bbe1-80e5d59c5b59","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55042","PortSpecifier":{"PortValue":55042}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dbd6f096-f4c2-4903-97d3-4189649f9305","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55042","PortSpecifier":{"PortValue":55042}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641674,"nanos":233106997},"http":{"id":"dbd6f096-f4c2-4903-97d3-4189649f9305","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641974,"groups":["Engineering","Project-Alpha"],"iat":1781641674,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7f1fa360-4b1d-c847-a894-4f2743575d33","preferred_username":"alice_lead","scope":"profile email","sid":"Vz2u5JFFUHrX6lyoXzyq6t-T","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641974,"groups":["Engineering","Project-Alpha"],"iat":1781641674,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7f1fa360-4b1d-c847-a894-4f2743575d33","preferred_username":"alice_lead","scope":"profile email","sid":"Vz2u5JFFUHrX6lyoXzyq6t-T","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbd6f096-f4c2-4903-97d3-4189649f9305","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55052","PortSpecifier":{"PortValue":55052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"72b0f5e9-9172-4222-a945-c77952a82b31","method":"DELETE","path":"/maas-api/v1/api-keys/cabc1434-4028-445c-ba3b-230124cc7b19","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55052","PortSpecifier":{"PortValue":55052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641674,"nanos":262199969},"http":{"id":"72b0f5e9-9172-4222-a945-c77952a82b31","method":"DELETE","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cabc1434-4028-445c-ba3b-230124cc7b19",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641974,"groups":["Engineering","Project-Alpha"],"iat":1781641674,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7f1fa360-4b1d-c847-a894-4f2743575d33","preferred_username":"alice_lead","scope":"profile email","sid":"Vz2u5JFFUHrX6lyoXzyq6t-T","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641974,"groups":["Engineering","Project-Alpha"],"iat":1781641674,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7f1fa360-4b1d-c847-a894-4f2743575d33","preferred_username":"alice_lead","scope":"profile email","sid":"Vz2u5JFFUHrX6lyoXzyq6t-T","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cabc1434-4028-445c-ba3b-230124cc7b19",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"72b0f5e9-9172-4222-a945-c77952a82b31","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55068","PortSpecifier":{"PortValue":55068}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55068","PortSpecifier":{"PortValue":55068}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":299326264},"http":{"id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-XjInJRDrvELOjZF5_OShynZk8Si4o058DUoeDCfC2X6j85zGZTZjfKXfOmlw"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-XjInJRDrvELOjZF5_OShynZk8Si4o058DUoeDCfC2X6j85zGZTZjfKXfOmlw\"}"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"reason":"key revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75302656-3f85-4f9b-ac07-a87c4d5627d3","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55076","PortSpecifier":{"PortValue":55076}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55076","PortSpecifier":{"PortValue":55076}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":479709976},"http":{"id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc6245ee-a2a5-4107-84d3-4ef4e88fd03a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55086","PortSpecifier":{"PortValue":55086}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ecffba9c-ea13-4c3e-a589-82acbef80038","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55086","PortSpecifier":{"PortValue":55086}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":763795114},"http":{"id":"ecffba9c-ea13-4c3e-a589-82acbef80038","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:839024cf-9523-0a2b-5264-72d80c53bf0c","preferred_username":"alice_lead","scope":"profile email","sid":"gsNkPrnc46ph3sU6G86cZTE5","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:839024cf-9523-0a2b-5264-72d80c53bf0c","preferred_username":"alice_lead","scope":"profile email","sid":"gsNkPrnc46ph3sU6G86cZTE5","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ecffba9c-ea13-4c3e-a589-82acbef80038","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55098","PortSpecifier":{"PortValue":55098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55098","PortSpecifier":{"PortValue":55098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":795789520},"http":{"id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Site-Reliability"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:74821733-d0aa-1642-f061-c0e2de48d7bf","preferred_username":"bob_sre","scope":"profile email","sid":"Qk00rNy4xNwt31jMqU0fzW8Y","sub":"a3e129a5-0f59-4ffb-845a-543472143032","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Site-Reliability"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:74821733-d0aa-1642-f061-c0e2de48d7bf","preferred_username":"bob_sre","scope":"profile email","sid":"Qk00rNy4xNwt31jMqU0fzW8Y","sub":"a3e129a5-0f59-4ffb-845a-543472143032","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c676e51a-3e7d-4e18-b62a-ed852fa7ede0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81134820-78af-4230-8871-3e620aa85138","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55108","PortSpecifier":{"PortValue":55108}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"81134820-78af-4230-8871-3e620aa85138","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81134820-78af-4230-8871-3e620aa85138","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55108","PortSpecifier":{"PortValue":55108}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":951799372},"http":{"id":"81134820-78af-4230-8871-3e620aa85138","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"81134820-78af-4230-8871-3e620aa85138","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81134820-78af-4230-8871-3e620aa85138","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81134820-78af-4230-8871-3e620aa85138","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81134820-78af-4230-8871-3e620aa85138","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55114","PortSpecifier":{"PortValue":55114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","method":"DELETE","path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55114","PortSpecifier":{"PortValue":55114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641677,"nanos":980777169},"http":{"id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","method":"DELETE","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:57Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5dde7bb-3498-40bc-b0e1-91fd7f5d8beb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55120","PortSpecifier":{"PortValue":55120}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","method":"DELETE","path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55120","PortSpecifier":{"PortValue":55120}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":8880129},"http":{"id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","method":"DELETE","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641977,"groups":["Engineering","Project-Alpha"],"iat":1781641677,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34e710df-22ba-e120-d71a-8cd38bf30228","preferred_username":"alice_lead","scope":"profile email","sid":"MlkRunF41O9GApdKnMqsSEmc","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216422b5-ad66-4365-a531-38b057e2597d",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1957e149-2d76-42e2-b24a-34ea8950c4bd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55124","PortSpecifier":{"PortValue":55124}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55124","PortSpecifier":{"PortValue":55124}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":166444503},"http":{"id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:041a61cd-8c59-3c47-e3d6-26a6e356d587","preferred_username":"alice_lead","scope":"profile email","sid":"Ear-11uXuGwBxSBxmKfXlSBG","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:041a61cd-8c59-3c47-e3d6-26a6e356d587","preferred_username":"alice_lead","scope":"profile email","sid":"Ear-11uXuGwBxSBxmKfXlSBG","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"995d848b-d2bd-4ed9-9995-8dc3ea016a70","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55136","PortSpecifier":{"PortValue":55136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55136","PortSpecifier":{"PortValue":55136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":198869953},"http":{"id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-EGMOTsXaJexLEhwH_Ql5DCarrt0KskLh10FhOv94TKaqtO7TlPMXACwvmSco"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-EGMOTsXaJexLEhwH_Ql5DCarrt0KskLh10FhOv94TKaqtO7TlPMXACwvmSco\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"63c7575f-4784-4d52-a108-7846c6e9efd4","subscription":"simulator-subscription","tenant":"opendatahub","userId":"63c7575f-4784-4d52-a108-7846c6e9efd4","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec630c6e-ae12-4b18-abbd-19c386a71e5b","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":206389309},"http":{"id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-EGMOTsXaJexLEhwH_Ql5DCarrt0KskLh10FhOv94TKaqtO7TlPMXACwvmSco"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-EGMOTsXaJexLEhwH_Ql5DCarrt0KskLh10FhOv94TKaqtO7TlPMXACwvmSco\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"63c7575f-4784-4d52-a108-7846c6e9efd4","subscription":"simulator-subscription","tenant":"opendatahub","userId":"63c7575f-4784-4d52-a108-7846c6e9efd4","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-EGMOTsXaJexLEhwH_Ql5DCarrt0KskLh10FhOv94TKaqtO7TlPMXACwvmSco","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":206389309,"seconds":1781641678},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:33280","port":33280}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"63c7575f-4784-4d52-a108-7846c6e9efd4","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"95e674a7-7aa9-4f82-8162-fb1972bb27d4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55138","PortSpecifier":{"PortValue":55138}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0608c8b7-0302-4751-a9be-31283ddc0f13","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55138","PortSpecifier":{"PortValue":55138}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":360644840},"http":{"id":"0608c8b7-0302-4751-a9be-31283ddc0f13","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:033f6fee-0435-e93d-3683-b21f79279f89","preferred_username":"alice_lead","scope":"profile email","sid":"SLDyNXygROQVLeNH5JHnkXjq","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:033f6fee-0435-e93d-3683-b21f79279f89","preferred_username":"alice_lead","scope":"profile email","sid":"SLDyNXygROQVLeNH5JHnkXjq","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0608c8b7-0302-4751-a9be-31283ddc0f13","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a39b8658-1719-42be-849b-1763e345dd23","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55146","PortSpecifier":{"PortValue":55146}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a39b8658-1719-42be-849b-1763e345dd23","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a39b8658-1719-42be-849b-1763e345dd23","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55146","PortSpecifier":{"PortValue":55146}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":389674402},"http":{"id":"a39b8658-1719-42be-849b-1763e345dd23","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","subscription":"simulator-subscription","tenant":"opendatahub","userId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a39b8658-1719-42be-849b-1763e345dd23","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a39b8658-1719-42be-849b-1763e345dd23","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a39b8658-1719-42be-849b-1763e345dd23","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a39b8658-1719-42be-849b-1763e345dd23","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55162","PortSpecifier":{"PortValue":55162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55162","PortSpecifier":{"PortValue":55162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":415264928},"http":{"id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","subscription":"simulator-subscription","tenant":"opendatahub","userId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"53e08bff-4070-43c6-b126-a8c8cd629ce5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":423119818},"http":{"id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","subscription":"simulator-subscription","tenant":"opendatahub","userId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-SsV3aaSmkmdhk7Py_FSMtwes0ntksa04fWUOwP5iw7lXlBBpx3lpenWB5HoM","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":423119818,"seconds":1781641678},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:33280","port":33280}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"d3be3f89-70cc-4d38-8f9d-219dfd364c7e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"521aa3ae-428a-4c97-9f27-7ac22ff6302d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55166","PortSpecifier":{"PortValue":55166}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55166","PortSpecifier":{"PortValue":55166}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":580177343},"http":{"id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:af0d5f73-222f-cee1-6ac8-bf7a2f0655cd","preferred_username":"alice_lead","scope":"profile email","sid":"lXncEIk6z7FLy4Vaph7l7PDw","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:af0d5f73-222f-cee1-6ac8-bf7a2f0655cd","preferred_username":"alice_lead","scope":"profile email","sid":"lXncEIk6z7FLy4Vaph7l7PDw","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"28cc6f5d-20b1-473e-ad59-9979a0e857f3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55178","PortSpecifier":{"PortValue":55178}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f2396a9c-8688-446e-8c1c-937ac783bb55","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55178","PortSpecifier":{"PortValue":55178}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":609313853},"http":{"id":"f2396a9c-8688-446e-8c1c-937ac783bb55","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","subscription":"simulator-subscription","tenant":"opendatahub","userId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2396a9c-8688-446e-8c1c-937ac783bb55","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":617001011},"http":{"id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","subscription":"simulator-subscription","tenant":"opendatahub","userId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":617001011,"seconds":1781641678},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:33280","port":33280}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e6baf4f6-c317-45ad-ae36-d69bb7d138a2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55184","PortSpecifier":{"PortValue":55184}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55184","PortSpecifier":{"PortValue":55184}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":647954292},"http":{"id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","method":"GET","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","subscription":"simulator-subscription","tenant":"opendatahub","userId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b01d42c-e4b1-4b71-bfe8-50e10a7dc7be","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:33280","PortSpecifier":{"PortValue":33280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":655093857},"http":{"id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","subscription":"simulator-subscription","tenant":"opendatahub","userId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","username":"alice_lead","valid":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-10LANxNvJQi59xWhp_bnMbjBb1OHJQfzFVHToH4rGZP22sgSgKVOZPBZQTmSa","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtc2ZubHEKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.38~maas-default-gateway-openshift-default-687ff6996-sfnlq.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":655093857,"seconds":1781641678},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:33280","port":33280}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.groups.@tostr"}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.tenant"}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0aeb5453-2b08-4a1b-b4e2-25b11a914f9d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7bc3da7a-6949-45eb-b198-94d2413d0c3d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55200","PortSpecifier":{"PortValue":55200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:55200","PortSpecifier":{"PortValue":55200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.38:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781641678,"nanos":811232920},"http":{"id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","method":"POST","headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4bd9f4f3-c0f9-0e22-2901-32631bb9fd85","preferred_username":"alice_lead","scope":"profile email","sid":"aJsRDH11-WVLeOBk01FMvzxi","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781641978,"groups":["Engineering","Project-Alpha"],"iat":1781641678,"iss":"https://keycloak.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4bd9f4f3-c0f9-0e22-2901-32631bb9fd85","preferred_username":"alice_lead","scope":"profile email","sid":"aJsRDH11-WVLeOBk01FMvzxi","sub":"6f4dec1e-4c2b-4b53-a59e-1c915459c384","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.38:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71298e35-e099-4bd7-909b-805f2a06aaeb.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-16T20:27:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9ae4857-f4ab-47ef-a6b5-452c6f0bed1e","authorized":true,"response":"OK"}