{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"error","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T01:34:38Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-13T01:34:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42332","PortSpecifier":{"PortValue":42332}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42332","PortSpecifier":{"PortValue":42332}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314504,"nanos":904347194},"http":{"id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314804,"groups":["Engineering","Project-Alpha"],"iat":1781314504,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b1b53bde-548d-12f7-1902-782af2785f5d","preferred_username":"alice_lead","scope":"profile email","sid":"0iJT6X9uK6242ksBb3rJwPKS","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314804,"groups":["Engineering","Project-Alpha"],"iat":1781314504,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b1b53bde-548d-12f7-1902-782af2785f5d","preferred_username":"alice_lead","scope":"profile email","sid":"0iJT6X9uK6242ksBb3rJwPKS","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"63bfc6be-a0b4-42f7-a202-4b4db4897d4c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"348338e7-02fb-445a-aa9a-799166070755","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42338","PortSpecifier":{"PortValue":42338}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"348338e7-02fb-445a-aa9a-799166070755","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"348338e7-02fb-445a-aa9a-799166070755","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42338","PortSpecifier":{"PortValue":42338}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":15386133},"http":{"id":"348338e7-02fb-445a-aa9a-799166070755","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"348338e7-02fb-445a-aa9a-799166070755","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"348338e7-02fb-445a-aa9a-799166070755","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"348338e7-02fb-445a-aa9a-799166070755","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"348338e7-02fb-445a-aa9a-799166070755","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"348338e7-02fb-445a-aa9a-799166070755","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42346","PortSpecifier":{"PortValue":42346}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42346","PortSpecifier":{"PortValue":42346}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":57400839},"http":{"id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.17","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.17","x-forwarded-host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"3f03aa75-8d5f-4598-82a1-850a76ec1025"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f03aa75-8d5f-4598-82a1-850a76ec1025","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aaad54bd-daf6-466a-b404-059c6485ce65","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42352","PortSpecifier":{"PortValue":42352}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"aaad54bd-daf6-466a-b404-059c6485ce65","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aaad54bd-daf6-466a-b404-059c6485ce65","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42352","PortSpecifier":{"PortValue":42352}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":78545785},"http":{"id":"aaad54bd-daf6-466a-b404-059c6485ce65","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.17","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.17","x-forwarded-host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"aaad54bd-daf6-466a-b404-059c6485ce65"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aaad54bd-daf6-466a-b404-059c6485ce65","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aaad54bd-daf6-466a-b404-059c6485ce65","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42362","PortSpecifier":{"PortValue":42362}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9bba1358-d322-451e-b5b4-7158e55061e3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42362","PortSpecifier":{"PortValue":42362}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":427385920},"http":{"id":"9bba1358-d322-451e-b5b4-7158e55061e3","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Site-Reliability"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cf164efe-bee3-131b-6480-c28f5a906e57","preferred_username":"bob_sre","scope":"profile email","sid":"57F_btt3c6P_gDh4HS-m6uyW","sub":"fef07910-2b0c-4307-8fc3-89bbddc88a42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Site-Reliability"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cf164efe-bee3-131b-6480-c28f5a906e57","preferred_username":"bob_sre","scope":"profile email","sid":"57F_btt3c6P_gDh4HS-m6uyW","sub":"fef07910-2b0c-4307-8fc3-89bbddc88a42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9bba1358-d322-451e-b5b4-7158e55061e3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3849812c-5ce6-4398-93eb-2019528210fe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42372","PortSpecifier":{"PortValue":42372}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3849812c-5ce6-4398-93eb-2019528210fe","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3849812c-5ce6-4398-93eb-2019528210fe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42372","PortSpecifier":{"PortValue":42372}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":638364751},"http":{"id":"3849812c-5ce6-4398-93eb-2019528210fe","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31ff8051-61f7-691e-0abc-928a37d6b2a8","preferred_username":"alice_lead","scope":"profile email","sid":"68JqFrPQciVBxtx2TmBBx43t","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3849812c-5ce6-4398-93eb-2019528210fe","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31ff8051-61f7-691e-0abc-928a37d6b2a8","preferred_username":"alice_lead","scope":"profile email","sid":"68JqFrPQciVBxtx2TmBBx43t","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3849812c-5ce6-4398-93eb-2019528210fe","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3849812c-5ce6-4398-93eb-2019528210fe","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3849812c-5ce6-4398-93eb-2019528210fe","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42382","PortSpecifier":{"PortValue":42382}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"70e9b931-2afb-4a16-9214-71a8aabb7477","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42382","PortSpecifier":{"PortValue":42382}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":666495856},"http":{"id":"70e9b931-2afb-4a16-9214-71a8aabb7477","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq\"}"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70e9b931-2afb-4a16-9214-71a8aabb7477","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":683814647},"http":{"id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq\"}"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.25","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.25","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":683814647,"seconds":1781314505},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.25:44198","port":44198}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"08b7168d-6698-442b-9aad-f7da89eed8eb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0cf3bf71-ac70-4ba4-a62a-1abc9de11c64","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42384","PortSpecifier":{"PortValue":42384}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42384","PortSpecifier":{"PortValue":42384}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":717915891},"http":{"id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-16wFEgFTNkXAlNglL_pXzyMW8n1bTLZoFmu52ZC4xOreQNyLjYPxPRVmAXpHq\"}"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"08b7168d-6698-442b-9aad-f7da89eed8eb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82ef3a18-9046-438f-9ee6-9f1d2674796f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42388","PortSpecifier":{"PortValue":42388}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42388","PortSpecifier":{"PortValue":42388}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":816466416},"http":{"id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c7444bf5-a086-83d0-1958-6e44ec2a2800","preferred_username":"alice_lead","scope":"profile email","sid":"L7lv6axLoL5Vh3dTvtfC4KMN","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c7444bf5-a086-83d0-1958-6e44ec2a2800","preferred_username":"alice_lead","scope":"profile email","sid":"L7lv6axLoL5Vh3dTvtfC4KMN","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9239d0ba-e619-4093-ae1b-a06bb10c3a36","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42404","PortSpecifier":{"PortValue":42404}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","method":"DELETE","path":"/maas-api/v1/api-keys/aec8d0a3-6e35-4ca8-9c0c-e97f5de47c4a","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:42404","PortSpecifier":{"PortValue":42404}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314505,"nanos":844556124},"http":{"id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","method":"DELETE","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/aec8d0a3-6e35-4ca8-9c0c-e97f5de47c4a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c7444bf5-a086-83d0-1958-6e44ec2a2800","preferred_username":"alice_lead","scope":"profile email","sid":"L7lv6axLoL5Vh3dTvtfC4KMN","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314805,"groups":["Engineering","Project-Alpha"],"iat":1781314505,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c7444bf5-a086-83d0-1958-6e44ec2a2800","preferred_username":"alice_lead","scope":"profile email","sid":"L7lv6axLoL5Vh3dTvtfC4KMN","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/aec8d0a3-6e35-4ca8-9c0c-e97f5de47c4a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9ef210d8-3f7d-4f61-9212-234e719a7c26","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59704","PortSpecifier":{"PortValue":59704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59704","PortSpecifier":{"PortValue":59704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314508,"nanos":879659656},"http":{"id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-orw6bsvUduDM2nzj_PaOs6rbvqvoflCyoE5UTpdS1TuvjOghFufZerV6JyJx"}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-orw6bsvUduDM2nzj_PaOs6rbvqvoflCyoE5UTpdS1TuvjOghFufZerV6JyJx\"}"}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-13T01:35:08Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eccd2397-0970-4c7d-acad-978e29d3ca0a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59718","PortSpecifier":{"PortValue":59718}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59718","PortSpecifier":{"PortValue":59718}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":6897759},"http":{"id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6e8c54d-0d8c-4ba1-980c-896bb1e4f86c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59720","PortSpecifier":{"PortValue":59720}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59720","PortSpecifier":{"PortValue":59720}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":165565915},"http":{"id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db13d3e1-3587-d529-f929-8807caceea6e","preferred_username":"alice_lead","scope":"profile email","sid":"ww3CHBYM5PyjCgahQ0wORfB_","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db13d3e1-3587-d529-f929-8807caceea6e","preferred_username":"alice_lead","scope":"profile email","sid":"ww3CHBYM5PyjCgahQ0wORfB_","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ab53151-42ef-49d9-8687-08a4cdf508fc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59730","PortSpecifier":{"PortValue":59730}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c0598543-e0d8-495d-8b53-328bf9ff0276","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59730","PortSpecifier":{"PortValue":59730}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":194319990},"http":{"id":"c0598543-e0d8-495d-8b53-328bf9ff0276","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Site-Reliability"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f6f821bc-66c5-e051-3eb2-f322c26bb6d7","preferred_username":"bob_sre","scope":"profile email","sid":"3a5t_4vQYG0KNXS8oC2pOXql","sub":"fef07910-2b0c-4307-8fc3-89bbddc88a42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Site-Reliability"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f6f821bc-66c5-e051-3eb2-f322c26bb6d7","preferred_username":"bob_sre","scope":"profile email","sid":"3a5t_4vQYG0KNXS8oC2pOXql","sub":"fef07910-2b0c-4307-8fc3-89bbddc88a42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c0598543-e0d8-495d-8b53-328bf9ff0276","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94ebf501-2797-41c7-8822-a0051e964abe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59736","PortSpecifier":{"PortValue":59736}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"94ebf501-2797-41c7-8822-a0051e964abe","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94ebf501-2797-41c7-8822-a0051e964abe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59736","PortSpecifier":{"PortValue":59736}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":291495926},"http":{"id":"94ebf501-2797-41c7-8822-a0051e964abe","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"94ebf501-2797-41c7-8822-a0051e964abe","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94ebf501-2797-41c7-8822-a0051e964abe","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94ebf501-2797-41c7-8822-a0051e964abe","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94ebf501-2797-41c7-8822-a0051e964abe","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59740","PortSpecifier":{"PortValue":59740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","method":"DELETE","path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59740","PortSpecifier":{"PortValue":59740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":318856979},"http":{"id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","method":"DELETE","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"45324253-c1b3-44fd-b130-9e7ba8f8cda0","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59748","PortSpecifier":{"PortValue":59748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","method":"DELETE","path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59748","PortSpecifier":{"PortValue":59748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":347774399},"http":{"id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","method":"DELETE","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7420dcd6-e806-e9f2-5ded-ea1557fdd10a","preferred_username":"alice_lead","scope":"profile email","sid":"ndTp311xp14g9_xcij6EUnt6","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/216371a2-36f2-417a-9a3c-3e7f0bc81b20",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f4115ec9-f23e-445f-8b30-17ddbb37dbbb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59758","PortSpecifier":{"PortValue":59758}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ce978a74-a557-4d70-b212-91a4988d60a6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59758","PortSpecifier":{"PortValue":59758}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":431902060},"http":{"id":"ce978a74-a557-4d70-b212-91a4988d60a6","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:de41744b-5145-bf47-ca5b-3ca67f38895c","preferred_username":"alice_lead","scope":"profile email","sid":"Kl8itg1aAiCW1P8NQEdIHk-W","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:de41744b-5145-bf47-ca5b-3ca67f38895c","preferred_username":"alice_lead","scope":"profile email","sid":"Kl8itg1aAiCW1P8NQEdIHk-W","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce978a74-a557-4d70-b212-91a4988d60a6","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59774","PortSpecifier":{"PortValue":59774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59774","PortSpecifier":{"PortValue":59774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":462772091},"http":{"id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1OUm6MKW9QDBjDe9M_qWDqOfkZquwYx3dFk2pnYsY48cNU049O3KhP0cx0Qqc"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1OUm6MKW9QDBjDe9M_qWDqOfkZquwYx3dFk2pnYsY48cNU049O3KhP0cx0Qqc\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0fd0bd42-1c4e-413b-94bb-0c32b99bfc33","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":469756627},"http":{"id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1OUm6MKW9QDBjDe9M_qWDqOfkZquwYx3dFk2pnYsY48cNU049O3KhP0cx0Qqc"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1OUm6MKW9QDBjDe9M_qWDqOfkZquwYx3dFk2pnYsY48cNU049O3KhP0cx0Qqc\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1OUm6MKW9QDBjDe9M_qWDqOfkZquwYx3dFk2pnYsY48cNU049O3KhP0cx0Qqc","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.25","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.25","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0a8c92fd-53f1-470f-ba39-0760a00f208f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":469756627,"seconds":1781314509},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.25:44198","port":44198}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ac3b03f8-d11f-4699-bc8a-8002efabb4a0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0a8c92fd-53f1-470f-ba39-0760a00f208f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97a19f73-584a-4837-bef2-00f43fef3196","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59776","PortSpecifier":{"PortValue":59776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"97a19f73-584a-4837-bef2-00f43fef3196","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97a19f73-584a-4837-bef2-00f43fef3196","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59776","PortSpecifier":{"PortValue":59776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":560341126},"http":{"id":"97a19f73-584a-4837-bef2-00f43fef3196","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3f7f75dd-029c-3156-4ff2-0659d8c1e537","preferred_username":"alice_lead","scope":"profile email","sid":"JvcST3gcERtf0vxgDN5JmFC7","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"97a19f73-584a-4837-bef2-00f43fef3196","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3f7f75dd-029c-3156-4ff2-0659d8c1e537","preferred_username":"alice_lead","scope":"profile email","sid":"JvcST3gcERtf0vxgDN5JmFC7","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97a19f73-584a-4837-bef2-00f43fef3196","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97a19f73-584a-4837-bef2-00f43fef3196","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97a19f73-584a-4837-bef2-00f43fef3196","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86be0406-af6f-4497-91ad-965b44885c0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59782","PortSpecifier":{"PortValue":59782}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86be0406-af6f-4497-91ad-965b44885c0f","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86be0406-af6f-4497-91ad-965b44885c0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59782","PortSpecifier":{"PortValue":59782}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":588590759},"http":{"id":"86be0406-af6f-4497-91ad-965b44885c0f","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"86be0406-af6f-4497-91ad-965b44885c0f","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86be0406-af6f-4497-91ad-965b44885c0f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86be0406-af6f-4497-91ad-965b44885c0f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86be0406-af6f-4497-91ad-965b44885c0f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc59baed-416d-4487-813e-656d87e24d97","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59784","PortSpecifier":{"PortValue":59784}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bc59baed-416d-4487-813e-656d87e24d97","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc59baed-416d-4487-813e-656d87e24d97","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59784","PortSpecifier":{"PortValue":59784}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":613626349},"http":{"id":"bc59baed-416d-4487-813e-656d87e24d97","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bc59baed-416d-4487-813e-656d87e24d97","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc59baed-416d-4487-813e-656d87e24d97","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc59baed-416d-4487-813e-656d87e24d97","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc59baed-416d-4487-813e-656d87e24d97","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":620237397},"http":{"id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-jKWqpHm2lcU79SqQ_OB8Dg3nMh50WUXb4JA34d8i4DH0oeT8fKWoByVVrnux","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.25","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.25","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":620237397,"seconds":1781314509},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.25:44198","port":44198}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ce5eab0a-abfd-4a67-8a8f-0b6c1d488242","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97777cb6-4948-42bc-a8c0-9c4f499c1d6d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59796","PortSpecifier":{"PortValue":59796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59796","PortSpecifier":{"PortValue":59796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":710655832},"http":{"id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4762e9e2-c27a-f714-78bc-9a5bf53643fc","preferred_username":"alice_lead","scope":"profile email","sid":"7A0zAzGuwSFiOu6nxLD4Xn7M","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4762e9e2-c27a-f714-78bc-9a5bf53643fc","preferred_username":"alice_lead","scope":"profile email","sid":"7A0zAzGuwSFiOu6nxLD4Xn7M","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9970cba-7f68-4e85-8f15-1a27b0ea7c06","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"675c7226-03ee-437e-879d-92d59fa708e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59800","PortSpecifier":{"PortValue":59800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"675c7226-03ee-437e-879d-92d59fa708e8","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"675c7226-03ee-437e-879d-92d59fa708e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59800","PortSpecifier":{"PortValue":59800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":740705292},"http":{"id":"675c7226-03ee-437e-879d-92d59fa708e8","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"675c7226-03ee-437e-879d-92d59fa708e8","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"675c7226-03ee-437e-879d-92d59fa708e8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"675c7226-03ee-437e-879d-92d59fa708e8","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"675c7226-03ee-437e-879d-92d59fa708e8","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f94f586b-ddb7-421d-aac2-2b2f71956137","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":747310800},"http":{"id":"f94f586b-ddb7-421d-aac2-2b2f71956137","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.25","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.25","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f94f586b-ddb7-421d-aac2-2b2f71956137"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f94f586b-ddb7-421d-aac2-2b2f71956137","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":747310800,"seconds":1781314509},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.25:44198","port":44198}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7a56234f-28f5-4a48-aa86-a7e8fbf13009","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f94f586b-ddb7-421d-aac2-2b2f71956137","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59808","PortSpecifier":{"PortValue":59808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59808","PortSpecifier":{"PortValue":59808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":775693142},"http":{"id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","method":"GET","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e0d369cd-006e-45fd-a3ba-ec5d2b04ada2","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04b29772-1494-456c-9a75-18fda825ff81","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"04b29772-1494-456c-9a75-18fda825ff81","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04b29772-1494-456c-9a75-18fda825ff81","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.25:44198","PortSpecifier":{"PortValue":44198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":781972757},"http":{"id":"04b29772-1494-456c-9a75-18fda825ff81","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"04b29772-1494-456c-9a75-18fda825ff81","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-hNKZCbzelnJL2bPI_uTNi3eHLwqvoDG2dycB3ztPLjWEfEX6fzYp9mDZ2J1y","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.25","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LXBkbmY3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-pdnf7.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.25","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"04b29772-1494-456c-9a75-18fda825ff81"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"04b29772-1494-456c-9a75-18fda825ff81","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":781972757,"seconds":1781314509},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.25:44198","port":44198}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04b29772-1494-456c-9a75-18fda825ff81","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7a56234f-28f5-4a48-aa86-a7e8fbf13009","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04b29772-1494-456c-9a75-18fda825ff81","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04b29772-1494-456c-9a75-18fda825ff81","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f459cbf-a541-4298-b04e-0ececd802160","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59814","PortSpecifier":{"PortValue":59814}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9f459cbf-a541-4298-b04e-0ececd802160","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f459cbf-a541-4298-b04e-0ececd802160","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.17:59814","PortSpecifier":{"PortValue":59814}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781314509,"nanos":868928262},"http":{"id":"9f459cbf-a541-4298-b04e-0ececd802160","method":"POST","headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:49b918fe-450b-87c3-757b-ff13e79ef853","preferred_username":"alice_lead","scope":"profile email","sid":"ttp4zcMNPOXklUkDea5zx1dy","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9f459cbf-a541-4298-b04e-0ececd802160","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781314809,"groups":["Engineering","Project-Alpha"],"iat":1781314509,"iss":"https://keycloak.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:49b918fe-450b-87c3-757b-ff13e79ef853","preferred_username":"alice_lead","scope":"profile email","sid":"ttp4zcMNPOXklUkDea5zx1dy","sub":"157b144c-d04e-4807-afb1-1454f0afd47e","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e1c9500a-d053-4ec1-ade2-67efac99f42a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f459cbf-a541-4298-b04e-0ececd802160","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f459cbf-a541-4298-b04e-0ececd802160","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:35:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f459cbf-a541-4298-b04e-0ececd802160","authorized":true,"response":"OK"}