{"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-10T23:38:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-10T23:38:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48804","PortSpecifier":{"PortValue":48804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9a10deb3-67fa-48a0-bfad-dacd76072291","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48804","PortSpecifier":{"PortValue":48804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134733,"nanos":922538150},"http":{"id":"9a10deb3-67fa-48a0-bfad-dacd76072291","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135033,"groups":["Engineering","Project-Alpha"],"iat":1781134733,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fceb3bf6-eb45-ba74-2506-0982ff6bb853","preferred_username":"alice_lead","scope":"email profile","sid":"FMMwhuEPNiCFdUAewEoiDoba","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135033,"groups":["Engineering","Project-Alpha"],"iat":1781134733,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fceb3bf6-eb45-ba74-2506-0982ff6bb853","preferred_username":"alice_lead","scope":"email profile","sid":"FMMwhuEPNiCFdUAewEoiDoba","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a10deb3-67fa-48a0-bfad-dacd76072291","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48500","PortSpecifier":{"PortValue":48500}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48500","PortSpecifier":{"PortValue":48500}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134734,"nanos":103689743},"http":{"id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6842d01d-7f98-4621-bc4e-bcb6206f73fa","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48510","PortSpecifier":{"PortValue":48510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48510","PortSpecifier":{"PortValue":48510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134734,"nanos":144662461},"http":{"id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d"},"path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"38da4e06-b0fc-4a57-a268-7e774c6b7f6d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48516","PortSpecifier":{"PortValue":48516}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48516","PortSpecifier":{"PortValue":48516}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134734,"nanos":171624269},"http":{"id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4"},"path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9e2ff3db-290d-4d08-b0db-48d7b78bf7c4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48532","PortSpecifier":{"PortValue":48532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48532","PortSpecifier":{"PortValue":48532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134734,"nanos":822905197},"http":{"id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135034,"groups":["Site-Reliability"],"iat":1781134734,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:399378d3-6abd-1315-4d8c-fa1fadb16f1c","preferred_username":"bob_sre","scope":"email profile","sid":"EPKfyP2UyFL7fEv3riefL-F0","sub":"374393a2-cdb2-46aa-83c3-44363d03e9b6","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135034,"groups":["Site-Reliability"],"iat":1781134734,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:399378d3-6abd-1315-4d8c-fa1fadb16f1c","preferred_username":"bob_sre","scope":"email profile","sid":"EPKfyP2UyFL7fEv3riefL-F0","sub":"374393a2-cdb2-46aa-83c3-44363d03e9b6","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:54Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a152a5f5-1eed-42d2-a86b-6a43d09a3ff3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48546","PortSpecifier":{"PortValue":48546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f8062025-88a7-41bf-8505-99c2e33a07cf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48546","PortSpecifier":{"PortValue":48546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":234355716},"http":{"id":"f8062025-88a7-41bf-8505-99c2e33a07cf","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d58e0ce-e89f-18fe-c418-e58a073be870","preferred_username":"alice_lead","scope":"email profile","sid":"a28ynMrCS66FkT9Y7BeP-DfH","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d58e0ce-e89f-18fe-c418-e58a073be870","preferred_username":"alice_lead","scope":"email profile","sid":"a28ynMrCS66FkT9Y7BeP-DfH","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8062025-88a7-41bf-8505-99c2e33a07cf","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"464afef8-81bf-9450-8807-21114fe2b721","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48548","PortSpecifier":{"PortValue":48548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"464afef8-81bf-9450-8807-21114fe2b721","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"464afef8-81bf-9450-8807-21114fe2b721","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48548","PortSpecifier":{"PortValue":48548}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":267329528},"http":{"id":"464afef8-81bf-9450-8807-21114fe2b721","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB\"}"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"464afef8-81bf-9450-8807-21114fe2b721","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"464afef8-81bf-9450-8807-21114fe2b721","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"464afef8-81bf-9450-8807-21114fe2b721","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"464afef8-81bf-9450-8807-21114fe2b721","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":286216816},"http":{"id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB\"}"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"124d3a7e-1698-4d1e-b579-88e4aed4e514"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":286216816,"seconds":1781134735},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.34:36364","port":36364}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0de8b5ef-9516-4b6b-9a7c-e21c62fbf3d0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"124d3a7e-1698-4d1e-b579-88e4aed4e514","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48558","PortSpecifier":{"PortValue":48558}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48558","PortSpecifier":{"PortValue":48558}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":320647821},"http":{"id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-17OCiicLhC16R2hQ4_1Ee5UBnJiVGLZ80ZR2tcB2Uq8BC9mYwhADXIpSyG0HB\"}"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0de8b5ef-9516-4b6b-9a7c-e21c62fbf3d0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a1eaa5d3-e7c1-476b-a881-18463a9771cc","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48560","PortSpecifier":{"PortValue":48560}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48560","PortSpecifier":{"PortValue":48560}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":472397080},"http":{"id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7936c7b8-7b84-1046-36c1-160455a3a9e2","preferred_username":"alice_lead","scope":"email profile","sid":"Ty6A0XcAaWsT5iYjUnPwZClu","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7936c7b8-7b84-1046-36c1-160455a3a9e2","preferred_username":"alice_lead","scope":"email profile","sid":"Ty6A0XcAaWsT5iYjUnPwZClu","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aeb3d055-5fa1-4514-809d-df75e30b1bf8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d39c53d1-a070-444d-8751-1bafda377343","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48572","PortSpecifier":{"PortValue":48572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d39c53d1-a070-444d-8751-1bafda377343","method":"DELETE","path":"/maas-api/v1/api-keys/eaca0531-f509-4309-b608-49738e5f1570","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d39c53d1-a070-444d-8751-1bafda377343","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48572","PortSpecifier":{"PortValue":48572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134735,"nanos":508278632},"http":{"id":"d39c53d1-a070-444d-8751-1bafda377343","method":"DELETE","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/eaca0531-f509-4309-b608-49738e5f1570",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7936c7b8-7b84-1046-36c1-160455a3a9e2","preferred_username":"alice_lead","scope":"email profile","sid":"Ty6A0XcAaWsT5iYjUnPwZClu","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d39c53d1-a070-444d-8751-1bafda377343","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135035,"groups":["Engineering","Project-Alpha"],"iat":1781134735,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7936c7b8-7b84-1046-36c1-160455a3a9e2","preferred_username":"alice_lead","scope":"email profile","sid":"Ty6A0XcAaWsT5iYjUnPwZClu","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/eaca0531-f509-4309-b608-49738e5f1570",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d39c53d1-a070-444d-8751-1bafda377343","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d39c53d1-a070-444d-8751-1bafda377343","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:55Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d39c53d1-a070-444d-8751-1bafda377343","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48586","PortSpecifier":{"PortValue":48586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48586","PortSpecifier":{"PortValue":48586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134738,"nanos":541376194},"http":{"id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-CenR9QibfeYaJ0oQ_5mWiHhNfyURC0pIsUGTDCNz1wbjp9AvMl13nmsaPMlQ"} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-CenR9QibfeYaJ0oQ_5mWiHhNfyURC0pIsUGTDCNz1wbjp9AvMl13nmsaPMlQ\"}"} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f12bf081-e1ad-4168-b603-f235e8d1cbd4","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48592","PortSpecifier":{"PortValue":48592}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48592","PortSpecifier":{"PortValue":48592}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134738,"nanos":735842097},"http":{"id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-10T23:38:58Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cd28fa82-1833-4976-86bf-c9d9d3d74b71","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48604","PortSpecifier":{"PortValue":48604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48604","PortSpecifier":{"PortValue":48604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":9884796},"http":{"id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135038,"groups":["Engineering","Project-Alpha"],"iat":1781134738,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a99d1761-025b-024a-8ff2-9e5447256593","preferred_username":"alice_lead","scope":"email profile","sid":"n2qDn_LOqA4dld2pGG-8BlaD","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135038,"groups":["Engineering","Project-Alpha"],"iat":1781134738,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a99d1761-025b-024a-8ff2-9e5447256593","preferred_username":"alice_lead","scope":"email profile","sid":"n2qDn_LOqA4dld2pGG-8BlaD","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"23475ddb-667d-457e-a7ed-eb5aee57fb06","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48618","PortSpecifier":{"PortValue":48618}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48618","PortSpecifier":{"PortValue":48618}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":43504929},"http":{"id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135038,"groups":["Site-Reliability"],"iat":1781134738,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bf137dad-0f36-1ce2-095b-3894ddd00355","preferred_username":"bob_sre","scope":"email profile","sid":"Nvwy5A5aWaNdymqVQB_q44lU","sub":"374393a2-cdb2-46aa-83c3-44363d03e9b6","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135038,"groups":["Site-Reliability"],"iat":1781134738,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bf137dad-0f36-1ce2-095b-3894ddd00355","preferred_username":"bob_sre","scope":"email profile","sid":"Nvwy5A5aWaNdymqVQB_q44lU","sub":"374393a2-cdb2-46aa-83c3-44363d03e9b6","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a9af18c-540f-4411-83ce-8ff6ad75e20d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48630","PortSpecifier":{"PortValue":48630}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"238140b4-158a-4729-af7a-aa7e6258a1ad","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48630","PortSpecifier":{"PortValue":48630}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":212498383},"http":{"id":"238140b4-158a-4729-af7a-aa7e6258a1ad","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"238140b4-158a-4729-af7a-aa7e6258a1ad","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48638","PortSpecifier":{"PortValue":48638}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","method":"DELETE","path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48638","PortSpecifier":{"PortValue":48638}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":242125166},"http":{"id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","method":"DELETE","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fbe25881-fbfc-4d69-b304-44c3ca5c0915","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48646","PortSpecifier":{"PortValue":48646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","method":"DELETE","path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48646","PortSpecifier":{"PortValue":48646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":268874646},"http":{"id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","method":"DELETE","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:43154272-3972-c963-c61f-a618b60ceb18","preferred_username":"alice_lead","scope":"email profile","sid":"I4z0FM8qMCAcsr87g3cUumna","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/54eeb301-f07d-4134-8d41-cc6ec5e2815e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc8ac7b4-2e0a-4292-b016-c5b43bfba76a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48652","PortSpecifier":{"PortValue":48652}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48652","PortSpecifier":{"PortValue":48652}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":423040282},"http":{"id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bf297019-9de1-98f2-6d74-133f83296a22","preferred_username":"alice_lead","scope":"email profile","sid":"cAoQjAbWFEyj_v0_egeMZD4w","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bf297019-9de1-98f2-6d74-133f83296a22","preferred_username":"alice_lead","scope":"email profile","sid":"cAoQjAbWFEyj_v0_egeMZD4w","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"44f8e8ea-57ec-49f5-9599-9cc78fd4b360","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48666","PortSpecifier":{"PortValue":48666}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7f4875e8-7064-4402-a918-a99a5812e3a3","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48666","PortSpecifier":{"PortValue":48666}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":451015313},"http":{"id":"7f4875e8-7064-4402-a918-a99a5812e3a3","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1S8GFnVxA6eYYl9vr_o0vIO41eMdOxW6tcuoAfU51ZiOUx0d0Db7ffQm30tlU"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1S8GFnVxA6eYYl9vr_o0vIO41eMdOxW6tcuoAfU51ZiOUx0d0Db7ffQm30tlU\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f4875e8-7064-4402-a918-a99a5812e3a3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":458481985},"http":{"id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1S8GFnVxA6eYYl9vr_o0vIO41eMdOxW6tcuoAfU51ZiOUx0d0Db7ffQm30tlU"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1S8GFnVxA6eYYl9vr_o0vIO41eMdOxW6tcuoAfU51ZiOUx0d0Db7ffQm30tlU\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1S8GFnVxA6eYYl9vr_o0vIO41eMdOxW6tcuoAfU51ZiOUx0d0Db7ffQm30tlU","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"dc0f0ce8-460a-43a6-b089-d89410954cc2"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":458481985,"seconds":1781134739},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.34:36364","port":36364}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7a0407bf-f4ea-41d6-b817-63b6b8aaaa7d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dc0f0ce8-460a-43a6-b089-d89410954cc2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48668","PortSpecifier":{"PortValue":48668}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"465d4115-a12b-4ea5-82da-21747aa3fb69","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48668","PortSpecifier":{"PortValue":48668}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":614734837},"http":{"id":"465d4115-a12b-4ea5-82da-21747aa3fb69","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:933101f4-7272-67b5-da41-c1c3bcf4910b","preferred_username":"alice_lead","scope":"email profile","sid":"RgKbN_9WHyhY-TIP4m6FS3j3","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:933101f4-7272-67b5-da41-c1c3bcf4910b","preferred_username":"alice_lead","scope":"email profile","sid":"RgKbN_9WHyhY-TIP4m6FS3j3","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"465d4115-a12b-4ea5-82da-21747aa3fb69","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48676","PortSpecifier":{"PortValue":48676}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48676","PortSpecifier":{"PortValue":48676}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":645270901},"http":{"id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"afbd53a1-5764-4c05-bc81-5e8ea6ac3c48","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48684","PortSpecifier":{"PortValue":48684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48684","PortSpecifier":{"PortValue":48684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":672234583},"http":{"id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d43e63b6-f908-4e7e-85b6-b3ff90687d86","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbccdcf2-9698-42d0-8656-630650522783","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cbccdcf2-9698-42d0-8656-630650522783","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cbccdcf2-9698-42d0-8656-630650522783","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":679288409},"http":{"id":"cbccdcf2-9698-42d0-8656-630650522783","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cbccdcf2-9698-42d0-8656-630650522783","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-13j03GiQOwwoolsyt_4pT5EdBA7BVYTfi736qhXIhATMD6PNwiFXNcyhAt0hP","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"cbccdcf2-9698-42d0-8656-630650522783"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"cbccdcf2-9698-42d0-8656-630650522783","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":679288409,"seconds":1781134739},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.34:36364","port":36364}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cbccdcf2-9698-42d0-8656-630650522783","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"239dc00f-9710-4175-a133-6b9887a65547","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbccdcf2-9698-42d0-8656-630650522783","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cbccdcf2-9698-42d0-8656-630650522783","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48688","PortSpecifier":{"PortValue":48688}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48688","PortSpecifier":{"PortValue":48688}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":837570250},"http":{"id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:14c603c6-e0c9-1b0b-6451-f102d6472169","preferred_username":"alice_lead","scope":"email profile","sid":"7W71DDrs9nRx671fna2x7r_2","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135039,"groups":["Engineering","Project-Alpha"],"iat":1781134739,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:14c603c6-e0c9-1b0b-6451-f102d6472169","preferred_username":"alice_lead","scope":"email profile","sid":"7W71DDrs9nRx671fna2x7r_2","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"399bbc6e-12fd-4c76-8ce9-2a9176754faa","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48700","PortSpecifier":{"PortValue":48700}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48700","PortSpecifier":{"PortValue":48700}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":866707572},"http":{"id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"992f64e3-db19-9feb-b6d7-51a5aa55dd54","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":873823967},"http":{"id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":873823967,"seconds":1781134739},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.34:36364","port":36364}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c6790859-0de7-48e5-9d72-d5ca2d85fe67","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f569fe2-7ec7-4fe7-a9fc-5792254c77d0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48710","PortSpecifier":{"PortValue":48710}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48710","PortSpecifier":{"PortValue":48710}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":906583776},"http":{"id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","method":"GET","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9a36f96d-2b58-474e-a76b-3b793c57a4e0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.34:36364","PortSpecifier":{"PortValue":36364}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134739,"nanos":913372974},"http":{"id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-lAJox39jXJVjYb23_MNPKKHdBb7V74Dd0JhFmi71Hi8w4wXheyfpAkPOwy5x","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOHNyZnMKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.27~maas-default-gateway-openshift-default-687ff6996-8srfs.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"590e4c48-967b-49f0-82b8-f5fc10de84c9"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":913372974,"seconds":1781134739},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.34:36364","port":36364}}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c6790859-0de7-48e5-9d72-d5ca2d85fe67","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:38:59Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"590e4c48-967b-49f0-82b8-f5fc10de84c9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48720","PortSpecifier":{"PortValue":48720}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:48720","PortSpecifier":{"PortValue":48720}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781134740,"nanos":77777585},"http":{"id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","method":"POST","headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135040,"groups":["Engineering","Project-Alpha"],"iat":1781134740,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7b6d24b8-cee0-73c0-98fa-c71837fd8656","preferred_username":"alice_lead","scope":"email profile","sid":"-sH1dQLJVYZ81gNHZjfbIB5Z","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781135040,"groups":["Engineering","Project-Alpha"],"iat":1781134740,"iss":"https://keycloak.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7b6d24b8-cee0-73c0-98fa-c71837fd8656","preferred_username":"alice_lead","scope":"email profile","sid":"-sH1dQLJVYZ81gNHZjfbIB5Z","sub":"77fa0416-5d00-49f1-b66c-b4ad39ad3060","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.bf7c6015-b8b2-4c18-917d-bc2be0386b80.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-10T23:39:00Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9f790fe-b3ae-4edd-a66b-34d1a851468a","authorized":true,"response":"OK"}