{"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T02:38:24Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-13T02:38:24Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46824","PortSpecifier":{"PortValue":46824}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46824","PortSpecifier":{"PortValue":46824}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318330,"nanos":892989933},"http":{"id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318630,"groups":["Engineering","Project-Alpha"],"iat":1781318330,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b115b10b-9e26-e348-4be6-d4d92ab65939","preferred_username":"alice_lead","scope":"profile email","sid":"HubbKEq0Zy7Hr5hh_8643don","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318630,"groups":["Engineering","Project-Alpha"],"iat":1781318330,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b115b10b-9e26-e348-4be6-d4d92ab65939","preferred_username":"alice_lead","scope":"profile email","sid":"HubbKEq0Zy7Hr5hh_8643don","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:50Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a2c852ff-f5e5-43a2-92b5-8c3bd6cf2967","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46830","PortSpecifier":{"PortValue":46830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46830","PortSpecifier":{"PortValue":46830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":3145259},"http":{"id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"af7d6d76-fbdf-430e-9bc4-4891ed409790","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec2a8a57-418a-49a6-a820-555963c0c730","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46838","PortSpecifier":{"PortValue":46838}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ec2a8a57-418a-49a6-a820-555963c0c730","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec2a8a57-418a-49a6-a820-555963c0c730","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46838","PortSpecifier":{"PortValue":46838}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":44846004},"http":{"id":"ec2a8a57-418a-49a6-a820-555963c0c730","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.133.0.10","x-forwarded-host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"ec2a8a57-418a-49a6-a820-555963c0c730"},"path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"ec2a8a57-418a-49a6-a820-555963c0c730","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec2a8a57-418a-49a6-a820-555963c0c730","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec2a8a57-418a-49a6-a820-555963c0c730","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46854","PortSpecifier":{"PortValue":46854}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46854","PortSpecifier":{"PortValue":46854}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":70347492},"http":{"id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.133.0.10","x-forwarded-host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339"},"path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d8824ee-dfab-43e0-a57c-bf0c6fd2c339","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46864","PortSpecifier":{"PortValue":46864}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46864","PortSpecifier":{"PortValue":46864}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":426927163},"http":{"id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Site-Reliability"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e61d4df7-58e8-454e-607c-e5bbabf42833","preferred_username":"bob_sre","scope":"profile email","sid":"Y-09s8mDZcgscz6kVvkRZ6Xk","sub":"e7ebef78-05b0-4781-9528-b5ce7f4db6e1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Site-Reliability"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e61d4df7-58e8-454e-607c-e5bbabf42833","preferred_username":"bob_sre","scope":"profile email","sid":"Y-09s8mDZcgscz6kVvkRZ6Xk","sub":"e7ebef78-05b0-4781-9528-b5ce7f4db6e1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9a0863e-62fe-4f31-8c60-86778c0f9ab2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46878","PortSpecifier":{"PortValue":46878}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46878","PortSpecifier":{"PortValue":46878}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":647510983},"http":{"id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:98145b47-8d3c-c672-3f6d-734effd7fecb","preferred_username":"alice_lead","scope":"profile email","sid":"Xy9bZ8EM0ZYR7eJRo5JpNaXd","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:98145b47-8d3c-c672-3f6d-734effd7fecb","preferred_username":"alice_lead","scope":"profile email","sid":"Xy9bZ8EM0ZYR7eJRo5JpNaXd","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d2bab26-2883-4dfd-ae82-25229ab1fb01","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46884","PortSpecifier":{"PortValue":46884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46884","PortSpecifier":{"PortValue":46884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":677725759},"http":{"id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa\"}"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"945e9c94-7cbe-41b1-9a07-7f5a4f70b64e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:54008","PortSpecifier":{"PortValue":54008}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:54008","PortSpecifier":{"PortValue":54008}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":694134680},"http":{"id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa\"}"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.58","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.58","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":694134680,"seconds":1781318331},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.58:54008","port":54008}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"a925360f-f21f-476f-88f8-8c4adbc09a54","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"16c0b00e-e9c1-450d-a04b-6b2c7d6d4d9e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46892","PortSpecifier":{"PortValue":46892}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"686f49cd-778e-4b3e-b122-c548a633f0fb","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46892","PortSpecifier":{"PortValue":46892}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":727671473},"http":{"id":"686f49cd-778e-4b3e-b122-c548a633f0fb","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lY3t13AtJb9auKIn_N9eEI1k3XTtZaF4gCI9Y37UqMBEUwERJ2QthsRvOnfa\"}"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"a925360f-f21f-476f-88f8-8c4adbc09a54","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"686f49cd-778e-4b3e-b122-c548a633f0fb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"759ff672-ef36-46d0-964c-a36f3577def7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46894","PortSpecifier":{"PortValue":46894}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"759ff672-ef36-46d0-964c-a36f3577def7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"759ff672-ef36-46d0-964c-a36f3577def7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46894","PortSpecifier":{"PortValue":46894}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":825891542},"http":{"id":"759ff672-ef36-46d0-964c-a36f3577def7","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bb95147-8f7b-c1cc-6bf9-391209c157a4","preferred_username":"alice_lead","scope":"profile email","sid":"gAd2En3XTyZ1oa97ODzIJz86","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"759ff672-ef36-46d0-964c-a36f3577def7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bb95147-8f7b-c1cc-6bf9-391209c157a4","preferred_username":"alice_lead","scope":"profile email","sid":"gAd2En3XTyZ1oa97ODzIJz86","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"759ff672-ef36-46d0-964c-a36f3577def7","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"759ff672-ef36-46d0-964c-a36f3577def7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"759ff672-ef36-46d0-964c-a36f3577def7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"118155c9-7946-40da-91a2-9c1091fb5143","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46904","PortSpecifier":{"PortValue":46904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"118155c9-7946-40da-91a2-9c1091fb5143","method":"DELETE","path":"/maas-api/v1/api-keys/d06152a9-f9d7-4582-8621-29a83a20ff8b","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"118155c9-7946-40da-91a2-9c1091fb5143","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46904","PortSpecifier":{"PortValue":46904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318331,"nanos":856468762},"http":{"id":"118155c9-7946-40da-91a2-9c1091fb5143","method":"DELETE","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d06152a9-f9d7-4582-8621-29a83a20ff8b",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bb95147-8f7b-c1cc-6bf9-391209c157a4","preferred_username":"alice_lead","scope":"profile email","sid":"gAd2En3XTyZ1oa97ODzIJz86","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"118155c9-7946-40da-91a2-9c1091fb5143","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318631,"groups":["Engineering","Project-Alpha"],"iat":1781318331,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bb95147-8f7b-c1cc-6bf9-391209c157a4","preferred_username":"alice_lead","scope":"profile email","sid":"gAd2En3XTyZ1oa97ODzIJz86","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d06152a9-f9d7-4582-8621-29a83a20ff8b",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"118155c9-7946-40da-91a2-9c1091fb5143","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"118155c9-7946-40da-91a2-9c1091fb5143","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:51Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"118155c9-7946-40da-91a2-9c1091fb5143","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46918","PortSpecifier":{"PortValue":46918}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46918","PortSpecifier":{"PortValue":46918}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318334,"nanos":888519707},"http":{"id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ApkPPxZJLVPsfZq_eaHvttYSdktQerTidZWueXyNetjvCDEi7ewFdsOBjxC"} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ApkPPxZJLVPsfZq_eaHvttYSdktQerTidZWueXyNetjvCDEi7ewFdsOBjxC\"}"} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-13T02:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dff66b82-39c8-4f07-af35-c12ef2f73a9a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5558d972-17e0-44b6-8997-596c87294e50","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46928","PortSpecifier":{"PortValue":46928}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5558d972-17e0-44b6-8997-596c87294e50","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5558d972-17e0-44b6-8997-596c87294e50","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46928","PortSpecifier":{"PortValue":46928}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":17963259},"http":{"id":"5558d972-17e0-44b6-8997-596c87294e50","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5558d972-17e0-44b6-8997-596c87294e50","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"5558d972-17e0-44b6-8997-596c87294e50","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5558d972-17e0-44b6-8997-596c87294e50","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5558d972-17e0-44b6-8997-596c87294e50","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5558d972-17e0-44b6-8997-596c87294e50","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46940","PortSpecifier":{"PortValue":46940}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46940","PortSpecifier":{"PortValue":46940}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":182946142},"http":{"id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:944c9886-8b55-b2a8-d780-e721ae3df223","preferred_username":"alice_lead","scope":"profile email","sid":"H4eAsTct4oMFc_PFIbRM0xLa","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:944c9886-8b55-b2a8-d780-e721ae3df223","preferred_username":"alice_lead","scope":"profile email","sid":"H4eAsTct4oMFc_PFIbRM0xLa","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82cd26e3-ea5d-4ea3-88e1-c73e77b59a8a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46942","PortSpecifier":{"PortValue":46942}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2ab16273-6b73-413a-b68f-5b402a2df52d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:46942","PortSpecifier":{"PortValue":46942}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":209753692},"http":{"id":"2ab16273-6b73-413a-b68f-5b402a2df52d","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Site-Reliability"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e9d968d3-9a0d-cdb1-85ea-51d4562d9f00","preferred_username":"bob_sre","scope":"profile email","sid":"o3o_O_sdFcLH8JRiKLZ4YYNe","sub":"e7ebef78-05b0-4781-9528-b5ce7f4db6e1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Site-Reliability"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e9d968d3-9a0d-cdb1-85ea-51d4562d9f00","preferred_username":"bob_sre","scope":"profile email","sid":"o3o_O_sdFcLH8JRiKLZ4YYNe","sub":"e7ebef78-05b0-4781-9528-b5ce7f4db6e1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ab16273-6b73-413a-b68f-5b402a2df52d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54528","PortSpecifier":{"PortValue":54528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8325e831-6677-4cb6-a1dc-f55ababf5337","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54528","PortSpecifier":{"PortValue":54528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":302692700},"http":{"id":"8325e831-6677-4cb6-a1dc-f55ababf5337","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8325e831-6677-4cb6-a1dc-f55ababf5337","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54536","PortSpecifier":{"PortValue":54536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9cbcd94a-3839-42eb-985b-b140083adb81","method":"DELETE","path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54536","PortSpecifier":{"PortValue":54536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":332993202},"http":{"id":"9cbcd94a-3839-42eb-985b-b140083adb81","method":"DELETE","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9cbcd94a-3839-42eb-985b-b140083adb81","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54548","PortSpecifier":{"PortValue":54548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","method":"DELETE","path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54548","PortSpecifier":{"PortValue":54548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":367843483},"http":{"id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","method":"DELETE","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:460dc2ce-db1b-c303-1a16-3353753b7546","preferred_username":"alice_lead","scope":"profile email","sid":"WOfUSYegxTtyrpbsTdz7T4u6","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4f669c1f-9c90-4862-abfe-802bd7085981",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e13691f9-ec20-4de5-ae0e-e810024b7dd4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54552","PortSpecifier":{"PortValue":54552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"25558a63-efb4-462b-806e-df3a978d5bfb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54552","PortSpecifier":{"PortValue":54552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":460808947},"http":{"id":"25558a63-efb4-462b-806e-df3a978d5bfb","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc67d3a1-9514-4e60-3c80-25b03d44babb","preferred_username":"alice_lead","scope":"profile email","sid":"ocXO7RtB4eS9FHhcUO-pU2jR","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc67d3a1-9514-4e60-3c80-25b03d44babb","preferred_username":"alice_lead","scope":"profile email","sid":"ocXO7RtB4eS9FHhcUO-pU2jR","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"25558a63-efb4-462b-806e-df3a978d5bfb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54556","PortSpecifier":{"PortValue":54556}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54556","PortSpecifier":{"PortValue":54556}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":486643782},"http":{"id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-HgDgt83TJWiHPEMs_eFqrNWTXousxfH5q1BxmhsCHnUSP4ZaQsPzOyqTPxqB"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-HgDgt83TJWiHPEMs_eFqrNWTXousxfH5q1BxmhsCHnUSP4ZaQsPzOyqTPxqB\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3714313-ace3-4f6e-b9ed-028b2f3a1f0e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":503622193},"http":{"id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-HgDgt83TJWiHPEMs_eFqrNWTXousxfH5q1BxmhsCHnUSP4ZaQsPzOyqTPxqB"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-HgDgt83TJWiHPEMs_eFqrNWTXousxfH5q1BxmhsCHnUSP4ZaQsPzOyqTPxqB\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-HgDgt83TJWiHPEMs_eFqrNWTXousxfH5q1BxmhsCHnUSP4ZaQsPzOyqTPxqB","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.58","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.58","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":503622193,"seconds":1781318335},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.58:41064","port":41064}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"954665fc-effa-4bc1-8c63-1dd7b4f4f906","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fc91bb1-2f28-49bf-918a-8e58b66bef79","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54564","PortSpecifier":{"PortValue":54564}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8954250b-2788-4d55-b7d5-6cc88e53de59","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54564","PortSpecifier":{"PortValue":54564}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":591685761},"http":{"id":"8954250b-2788-4d55-b7d5-6cc88e53de59","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c9c1d158-043c-f340-fb67-daabaee4dd8b","preferred_username":"alice_lead","scope":"profile email","sid":"RetOHURghwU-y-hkCmuLvwob","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c9c1d158-043c-f340-fb67-daabaee4dd8b","preferred_username":"alice_lead","scope":"profile email","sid":"RetOHURghwU-y-hkCmuLvwob","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8954250b-2788-4d55-b7d5-6cc88e53de59","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54580","PortSpecifier":{"PortValue":54580}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54580","PortSpecifier":{"PortValue":54580}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":617442335},"http":{"id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5767fae-c46e-48fb-b460-1f6aa720eb3d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54588","PortSpecifier":{"PortValue":54588}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54588","PortSpecifier":{"PortValue":54588}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":642541436},"http":{"id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3131e19f-e998-4e45-b3bb-26a5036bd0d3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":648869623},"http":{"id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1BXKs3W4rnDs256Jo_jQza1R7LkUld89UKv6XMScGxkPNgdL2P47T5Ay7TxzO","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.58","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.58","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":648869623,"seconds":1781318335},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.58:41064","port":41064}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"eefdc7a5-f86e-4ed8-b16d-01be902e4ccc","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0b784d8e-3510-4807-9b1d-8da2d5e1ea55","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54602","PortSpecifier":{"PortValue":54602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54602","PortSpecifier":{"PortValue":54602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":742167960},"http":{"id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:24f61c6c-1ffa-812e-7a73-db21b20bea2a","preferred_username":"alice_lead","scope":"profile email","sid":"YEtOfeoKJ_qf7HSeiVJTqYcB","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:24f61c6c-1ffa-812e-7a73-db21b20bea2a","preferred_username":"alice_lead","scope":"profile email","sid":"YEtOfeoKJ_qf7HSeiVJTqYcB","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a999383-0ed9-4171-8a43-fd6f2dfbd359","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54604","PortSpecifier":{"PortValue":54604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54604","PortSpecifier":{"PortValue":54604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":769125794},"http":{"id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86d9a0f6-4d61-4b91-b168-9eb992eb05f5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6322ef89-8843-47b8-930a-3e54416b7460","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6322ef89-8843-47b8-930a-3e54416b7460","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6322ef89-8843-47b8-930a-3e54416b7460","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":775523883},"http":{"id":"6322ef89-8843-47b8-930a-3e54416b7460","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6322ef89-8843-47b8-930a-3e54416b7460","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.58","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.58","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"6322ef89-8843-47b8-930a-3e54416b7460"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"6322ef89-8843-47b8-930a-3e54416b7460","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":775523883,"seconds":1781318335},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.58:41064","port":41064}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6322ef89-8843-47b8-930a-3e54416b7460","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2de60088-b2bb-4a9b-88a6-efc493a70c29","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6322ef89-8843-47b8-930a-3e54416b7460","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6322ef89-8843-47b8-930a-3e54416b7460","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54620","PortSpecifier":{"PortValue":54620}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0043cddf-0a53-43d2-935e-a4846608fb12","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54620","PortSpecifier":{"PortValue":54620}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":804678207},"http":{"id":"0043cddf-0a53-43d2-935e-a4846608fb12","method":"GET","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0043cddf-0a53-43d2-935e-a4846608fb12","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.58:41064","PortSpecifier":{"PortValue":41064}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":810867646},"http":{"id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1P7VRKUGeAbZ9GxQ0_ntvhm4MrPgBGAOX8HsiyYsXq1n5ubmlegyVehsL5Jzx","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.58","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZ2xsNnYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.24~maas-default-gateway-openshift-default-687ff6996-gll6v.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.58","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":810867646,"seconds":1781318335},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.58:41064","port":41064}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2de60088-b2bb-4a9b-88a6-efc493a70c29","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9ae6282e-52ce-4f66-aec4-8f4ab71193cc","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2a781343-36f7-4394-8995-829baaafbde7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54622","PortSpecifier":{"PortValue":54622}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2a781343-36f7-4394-8995-829baaafbde7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2a781343-36f7-4394-8995-829baaafbde7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.10:54622","PortSpecifier":{"PortValue":54622}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.24:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781318335,"nanos":908346690},"http":{"id":"2a781343-36f7-4394-8995-829baaafbde7","method":"POST","headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:435f97c1-acf1-b9b0-ce5b-7f19de08e40c","preferred_username":"alice_lead","scope":"profile email","sid":"kDaMzA2giJL96RAOVoYgmgLU","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2a781343-36f7-4394-8995-829baaafbde7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781318635,"groups":["Engineering","Project-Alpha"],"iat":1781318335,"iss":"https://keycloak.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:435f97c1-acf1-b9b0-ce5b-7f19de08e40c","preferred_username":"alice_lead","scope":"profile email","sid":"kDaMzA2giJL96RAOVoYgmgLU","sub":"6fe5c680-1afb-4729-a711-946973440b98","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.24:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.536890ea-040e-4de6-8e80-a5d56746ec7b.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2a781343-36f7-4394-8995-829baaafbde7","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2a781343-36f7-4394-8995-829baaafbde7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-13T02:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2a781343-36f7-4394-8995-829baaafbde7","authorized":true,"response":"OK"}