{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:26:15Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T17:26:15Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47402","PortSpecifier":{"PortValue":47402}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ab232f66-d75a-4389-be56-f15f1423dc19","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47402","PortSpecifier":{"PortValue":47402}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198801,"nanos":924118962},"http":{"id":"ab232f66-d75a-4389-be56-f15f1423dc19","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199101,"groups":["Engineering","Project-Alpha"],"iat":1781198801,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db1a0c26-f942-b479-3436-d1c6f172e8ea","preferred_username":"alice_lead","scope":"email profile","sid":"7kpa-GpsMQBC6LNxsVycWo4w","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199101,"groups":["Engineering","Project-Alpha"],"iat":1781198801,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db1a0c26-f942-b479-3436-d1c6f172e8ea","preferred_username":"alice_lead","scope":"email profile","sid":"7kpa-GpsMQBC6LNxsVycWo4w","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:41Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ab232f66-d75a-4389-be56-f15f1423dc19","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47410","PortSpecifier":{"PortValue":47410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"91e92bd1-7db7-4183-a25a-3664499c423b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47410","PortSpecifier":{"PortValue":47410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":45500306},"http":{"id":"91e92bd1-7db7-4183-a25a-3664499c423b","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"91e92bd1-7db7-4183-a25a-3664499c423b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47422","PortSpecifier":{"PortValue":47422}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47422","PortSpecifier":{"PortValue":47422}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":102109378},"http":{"id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef"},"path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f6d57046-b918-40f6-b9be-8cfe0d8b50ef","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8a317390-c37a-405d-bd58-6e71cbfaee62","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47426","PortSpecifier":{"PortValue":47426}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8a317390-c37a-405d-bd58-6e71cbfaee62","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8a317390-c37a-405d-bd58-6e71cbfaee62","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47426","PortSpecifier":{"PortValue":47426}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":128074521},"http":{"id":"8a317390-c37a-405d-bd58-6e71cbfaee62","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.14","x-forwarded-host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"8a317390-c37a-405d-bd58-6e71cbfaee62"},"path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8a317390-c37a-405d-bd58-6e71cbfaee62","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8a317390-c37a-405d-bd58-6e71cbfaee62","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47442","PortSpecifier":{"PortValue":47442}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47442","PortSpecifier":{"PortValue":47442}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":482251125},"http":{"id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Site-Reliability"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5501ac2a-d367-500f-373c-aa3aecfde72e","preferred_username":"bob_sre","scope":"email profile","sid":"Ph_H-Go2sUrriO0OY4QZaLzj","sub":"5813aeb3-970a-4b17-8fd0-fd4837e34a24","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Site-Reliability"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5501ac2a-d367-500f-373c-aa3aecfde72e","preferred_username":"bob_sre","scope":"email profile","sid":"Ph_H-Go2sUrriO0OY4QZaLzj","sub":"5813aeb3-970a-4b17-8fd0-fd4837e34a24","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7d31c693-d09f-497a-a82d-fad32fa3df4a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47450","PortSpecifier":{"PortValue":47450}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47450","PortSpecifier":{"PortValue":47450}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":698796836},"http":{"id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:98a69038-fe39-c7f1-c5a2-835d1d0ca830","preferred_username":"alice_lead","scope":"email profile","sid":"7_0wq1z9AACjIFUl_6dE3m0-","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:98a69038-fe39-c7f1-c5a2-835d1d0ca830","preferred_username":"alice_lead","scope":"email profile","sid":"7_0wq1z9AACjIFUl_6dE3m0-","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f635dd45-7dea-443d-a9fa-a6f23a53ae87","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47458","PortSpecifier":{"PortValue":47458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47458","PortSpecifier":{"PortValue":47458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":729679400},"http":{"id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx\"}"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"36adc3d0-e83b-4777-a400-d706dd7d9d88","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":747159737},"http":{"id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx\"}"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"7f0b5699-7cdc-4e55-83f0-121317b073f5"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":747159737,"seconds":1781198802},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.41:44922","port":44922}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ef276a30-6df3-4483-9fd9-0359c79d674a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f0b5699-7cdc-4e55-83f0-121317b073f5","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47460","PortSpecifier":{"PortValue":47460}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47460","PortSpecifier":{"PortValue":47460}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":777893001},"http":{"id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dN8ka1blt2W7zs1Z_oVvH8dYI9B7pBFZFX5fFFbwQtkSBpYPNWvCFMwRxyyx\"}"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ef276a30-6df3-4483-9fd9-0359c79d674a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d55828e-51c1-4e88-9aa5-4b8883730d2e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47472","PortSpecifier":{"PortValue":47472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47472","PortSpecifier":{"PortValue":47472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":879287265},"http":{"id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:90fd1c2d-5f50-7175-c9d3-5dc12b2e2a4d","preferred_username":"alice_lead","scope":"email profile","sid":"MgF8jWvyfMjVJ5r1Zn-oGQ_A","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:90fd1c2d-5f50-7175-c9d3-5dc12b2e2a4d","preferred_username":"alice_lead","scope":"email profile","sid":"MgF8jWvyfMjVJ5r1Zn-oGQ_A","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b8eaedc2-033b-474b-83cc-a086e0ccfc9d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47476","PortSpecifier":{"PortValue":47476}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","method":"DELETE","path":"/maas-api/v1/api-keys/cf6b119a-37d4-4312-adcf-6d28c1445836","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:47476","PortSpecifier":{"PortValue":47476}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198802,"nanos":911017546},"http":{"id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","method":"DELETE","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cf6b119a-37d4-4312-adcf-6d28c1445836",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:90fd1c2d-5f50-7175-c9d3-5dc12b2e2a4d","preferred_username":"alice_lead","scope":"email profile","sid":"MgF8jWvyfMjVJ5r1Zn-oGQ_A","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199102,"groups":["Engineering","Project-Alpha"],"iat":1781198802,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:90fd1c2d-5f50-7175-c9d3-5dc12b2e2a4d","preferred_username":"alice_lead","scope":"email profile","sid":"MgF8jWvyfMjVJ5r1Zn-oGQ_A","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cf6b119a-37d4-4312-adcf-6d28c1445836",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:42Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ca7ec0fc-e865-422b-a974-df4c0c9bbd94","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44200","PortSpecifier":{"PortValue":44200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44200","PortSpecifier":{"PortValue":44200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198805,"nanos":944862621},"http":{"id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-waf1koWL3EtOA9jW_jeBjVuTti0Hp6fi41FPmMz9mL0zYPzO74csDmDZfOau"}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-waf1koWL3EtOA9jW_jeBjVuTti0Hp6fi41FPmMz9mL0zYPzO74csDmDZfOau\"}"}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-11T17:26:45Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"de604dae-4dc3-4750-9ef4-adfe1edb01c8","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44214","PortSpecifier":{"PortValue":44214}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44214","PortSpecifier":{"PortValue":44214}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":71789361},"http":{"id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"Post \"https://172.31.0.1:443/apis/authentication.k8s.io/v1/tokenreviews\": context deadline exceeded"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3bff5731-8c9a-43fa-9829-4d49f65407fc","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44224","PortSpecifier":{"PortValue":44224}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44224","PortSpecifier":{"PortValue":44224}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":478099525},"http":{"id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b2e18d93-714e-affa-7903-6832fdf62093","preferred_username":"alice_lead","scope":"email profile","sid":"eyH2lRAeVZeVe1v8u0b3ocRr","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b2e18d93-714e-affa-7903-6832fdf62093","preferred_username":"alice_lead","scope":"email profile","sid":"eyH2lRAeVZeVe1v8u0b3ocRr","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b0e07f42-d6d7-4f27-8e5c-907c74be4234","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44232","PortSpecifier":{"PortValue":44232}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44232","PortSpecifier":{"PortValue":44232}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":508067471},"http":{"id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Site-Reliability"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ba0fb6ad-102d-d7dc-74c5-3082fd3fe400","preferred_username":"bob_sre","scope":"email profile","sid":"cRrjsPPWZ72KuXNXSRoiB0ft","sub":"5813aeb3-970a-4b17-8fd0-fd4837e34a24","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Site-Reliability"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ba0fb6ad-102d-d7dc-74c5-3082fd3fe400","preferred_username":"bob_sre","scope":"email profile","sid":"cRrjsPPWZ72KuXNXSRoiB0ft","sub":"5813aeb3-970a-4b17-8fd0-fd4837e34a24","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7726167e-d0e1-4d00-a5ef-e5b3a37462e4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44240","PortSpecifier":{"PortValue":44240}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"73018153-0d96-4b5a-9481-f684df44b5ab","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44240","PortSpecifier":{"PortValue":44240}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":601784137},"http":{"id":"73018153-0d96-4b5a-9481-f684df44b5ab","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"73018153-0d96-4b5a-9481-f684df44b5ab","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b946c457-fc72-4337-9121-3406d2488bf7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44256","PortSpecifier":{"PortValue":44256}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b946c457-fc72-4337-9121-3406d2488bf7","method":"DELETE","path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b946c457-fc72-4337-9121-3406d2488bf7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44256","PortSpecifier":{"PortValue":44256}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":646002340},"http":{"id":"b946c457-fc72-4337-9121-3406d2488bf7","method":"DELETE","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b946c457-fc72-4337-9121-3406d2488bf7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b946c457-fc72-4337-9121-3406d2488bf7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b946c457-fc72-4337-9121-3406d2488bf7","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b946c457-fc72-4337-9121-3406d2488bf7","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44262","PortSpecifier":{"PortValue":44262}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e82d124f-83ec-4096-8604-8e75017a70f1","method":"DELETE","path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44262","PortSpecifier":{"PortValue":44262}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":673731432},"http":{"id":"e82d124f-83ec-4096-8604-8e75017a70f1","method":"DELETE","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ad3df94c-0d58-2e0b-d53e-ecd4229da5ff","preferred_username":"alice_lead","scope":"email profile","sid":"vLo23C-Agl4fjUf1w3tlsbk8","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c0034505-1624-4472-afd6-15de4b49e7cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e82d124f-83ec-4096-8604-8e75017a70f1","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44274","PortSpecifier":{"PortValue":44274}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44274","PortSpecifier":{"PortValue":44274}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":768441314},"http":{"id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1077a226-3910-06d3-9460-301d18133b86","preferred_username":"alice_lead","scope":"email profile","sid":"aeOM4FWppXczFp3Zg6ZV3_Yg","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1077a226-3910-06d3-9460-301d18133b86","preferred_username":"alice_lead","scope":"email profile","sid":"aeOM4FWppXczFp3Zg6ZV3_Yg","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0f667525-7d3f-4ea5-9ddd-90f58088c3c5","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44280","PortSpecifier":{"PortValue":44280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44280","PortSpecifier":{"PortValue":44280}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":802186388},"http":{"id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-2THtZOhIRiff6jxS_ocpHvrAKDnALgKuBd37L4dQvg4Mqr8zoMxutXdaEbhN"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-2THtZOhIRiff6jxS_ocpHvrAKDnALgKuBd37L4dQvg4Mqr8zoMxutXdaEbhN\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a6eedcca-c315-40a4-9a0f-a0f30be0be6a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":808877413},"http":{"id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-2THtZOhIRiff6jxS_ocpHvrAKDnALgKuBd37L4dQvg4Mqr8zoMxutXdaEbhN"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-2THtZOhIRiff6jxS_ocpHvrAKDnALgKuBd37L4dQvg4Mqr8zoMxutXdaEbhN\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-2THtZOhIRiff6jxS_ocpHvrAKDnALgKuBd37L4dQvg4Mqr8zoMxutXdaEbhN","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":808877413,"seconds":1781198806},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.41:44922","port":44922}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"1a3dd5ff-6a32-483e-b5cf-0fe05dd84992","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9a6cc91-d8be-41ca-9d97-02275c4303ba","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44288","PortSpecifier":{"PortValue":44288}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44288","PortSpecifier":{"PortValue":44288}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":898382724},"http":{"id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e1c0e4c7-1c0b-c689-c51d-31129f01e744","preferred_username":"alice_lead","scope":"email profile","sid":"IXE6tedfhXXozMw2-aZSAUxR","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199106,"groups":["Engineering","Project-Alpha"],"iat":1781198806,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e1c0e4c7-1c0b-c689-c51d-31129f01e744","preferred_username":"alice_lead","scope":"email profile","sid":"IXE6tedfhXXozMw2-aZSAUxR","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4147c78a-3f72-43bc-bedf-2c4eaf2a967e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44296","PortSpecifier":{"PortValue":44296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44296","PortSpecifier":{"PortValue":44296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":925588291},"http":{"id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"83e80e81-5ec5-407f-a9ea-f1967e7854c9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44312","PortSpecifier":{"PortValue":44312}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44312","PortSpecifier":{"PortValue":44312}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":951262690},"http":{"id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7747c1a0-a6bf-4d65-bbc8-7ebba7f96589","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198806,"nanos":957836587},"http":{"id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1VYqdgjvAnptnUEDa_ESxD58Vb9w9WpenLt2mOsnXlmT2jrhtMYB5iSspBWtX","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":957836587,"seconds":1781198806},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.41:44922","port":44922}}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c40da5bd-8656-484e-a713-fd90ee596d3b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:46Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6a0e8644-7c75-468e-a7f5-6ec5a2d55d1d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44322","PortSpecifier":{"PortValue":44322}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44322","PortSpecifier":{"PortValue":44322}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":49748625},"http":{"id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199107,"groups":["Engineering","Project-Alpha"],"iat":1781198807,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ca30e048-e752-a628-fa37-4446dfc2ea1d","preferred_username":"alice_lead","scope":"email profile","sid":"A0y3VAGyDuIeGzL2EYeQTWd1","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199107,"groups":["Engineering","Project-Alpha"],"iat":1781198807,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ca30e048-e752-a628-fa37-4446dfc2ea1d","preferred_username":"alice_lead","scope":"email profile","sid":"A0y3VAGyDuIeGzL2EYeQTWd1","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3ece3c04-34be-45ec-b66d-80396e0e02dc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44326","PortSpecifier":{"PortValue":44326}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44326","PortSpecifier":{"PortValue":44326}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":79748123},"http":{"id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"69a0612e-0f94-41e8-bb5d-5219be6c6eef","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":86696732},"http":{"id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"23e8b687-f29e-4a54-a6d5-282f14ea2422"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":86696732,"seconds":1781198807},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.41:44922","port":44922}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"1479a830-530e-4371-8ba2-d7232332c099","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"23e8b687-f29e-4a54-a6d5-282f14ea2422","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"deeb0757-c174-462a-ab70-5371001a5d69","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44336","PortSpecifier":{"PortValue":44336}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"deeb0757-c174-462a-ab70-5371001a5d69","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"deeb0757-c174-462a-ab70-5371001a5d69","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44336","PortSpecifier":{"PortValue":44336}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":115888989},"http":{"id":"deeb0757-c174-462a-ab70-5371001a5d69","method":"GET","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"deeb0757-c174-462a-ab70-5371001a5d69","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"deeb0757-c174-462a-ab70-5371001a5d69","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"deeb0757-c174-462a-ab70-5371001a5d69","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"deeb0757-c174-462a-ab70-5371001a5d69","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"59d90cdf-0587-4478-a433-3e3aa3a94324","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:44922","PortSpecifier":{"PortValue":44922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":122785711},"http":{"id":"59d90cdf-0587-4478-a433-3e3aa3a94324","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1XajXM9IPGsRMGZvt_hrjNa2351wnpv4OOduKaxCb5QUXCU9HG6mvKHzpL2CI","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtY2o4ODYKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.37~maas-default-gateway-openshift-default-687ff6996-cj886.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"59d90cdf-0587-4478-a433-3e3aa3a94324"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"59d90cdf-0587-4478-a433-3e3aa3a94324","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":122785711,"seconds":1781198807},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.41:44922","port":44922}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"1479a830-530e-4371-8ba2-d7232332c099","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59d90cdf-0587-4478-a433-3e3aa3a94324","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44344","PortSpecifier":{"PortValue":44344}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.14:44344","PortSpecifier":{"PortValue":44344}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.37:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198807,"nanos":212960739},"http":{"id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","method":"POST","headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199107,"groups":["Engineering","Project-Alpha"],"iat":1781198807,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21c0b9c9-2b71-76b0-b588-c0aca7fa0b81","preferred_username":"alice_lead","scope":"email profile","sid":"ZJIcqYORpNjdkyiA3D53iqvz","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781199107,"groups":["Engineering","Project-Alpha"],"iat":1781198807,"iss":"https://keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21c0b9c9-2b71-76b0-b588-c0aca7fa0b81","preferred_username":"alice_lead","scope":"email profile","sid":"ZJIcqYORpNjdkyiA3D53iqvz","sub":"a0f0ce41-0a67-42b1-81b5-707fd4cef057","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.37:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T17:26:47Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f40937f-23d6-4ec3-b90e-b8860fb3d946","authorized":true,"response":"OK"}