{"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0dfe5bde-853b-4a88-9341-23f10e0c2f5c","config":{"Name":"X-MaaS-Group-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.groups.@tostr"}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0dfe5bde-853b-4a88-9341-23f10e0c2f5c","config":{"Name":"X-MaaS-Username-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.username"}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0dfe5bde-853b-4a88-9341-23f10e0c2f5c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0dfe5bde-853b-4a88-9341-23f10e0c2f5c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:23812","PortSpecifier":{"PortValue":23812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","method":"POST","path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:23812","PortSpecifier":{"PortValue":23812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708257,"nanos":684673238},"http":{"id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/e2e-unconfigured-facebook-opt-125m-simulated\",\"requestedSubscription\":\"e2e-central-models-exempt-sub\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","input":{"auth":{"identity":"Bearer **** with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}}},"context":{"context_extensions":{"host":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"e2e-central-models-exempt-sub"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"b2b8345c-1a1e-42bb-8fa4-74f74d4105a3","selected_subscription":"e2e-central-models-exempt-sub","selected_subscription_key":"models-as-a-service/e2e-central-models-exempt-sub@llm/e2e-unconfigured-facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c317d59-fccb-431e-9b59-58e0ec6e7566","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:49808","PortSpecifier":{"PortValue":49808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","method":"POST","path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:49808","PortSpecifier":{"PortValue":49808}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708257,"nanos":713590801},"http":{"id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/e2e-unconfigured-facebook-opt-125m-simulated\",\"requestedSubscription\":\"e2e-central-models-exempt-sub\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","input":{"auth":{"identity":"Bearer **** with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}}},"context":{"context_extensions":{"host":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"e2e-central-models-exempt-sub"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"b2b8345c-1a1e-42bb-8fa4-74f74d4105a3","selected_subscription":"e2e-central-models-exempt-sub","selected_subscription_key":"models-as-a-service/e2e-central-models-exempt-sub@llm/e2e-unconfigured-facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6107b09d-4cc5-4ac3-8f86-fa5851a8e43c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:35446","PortSpecifier":{"PortValue":35446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","method":"POST","path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:35446","PortSpecifier":{"PortValue":35446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708257,"nanos":741158671},"http":{"id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/e2e-unconfigured-facebook-opt-125m-simulated\",\"requestedSubscription\":\"e2e-central-models-exempt-sub\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","input":{"auth":{"identity":"Bearer **** with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}}},"context":{"context_extensions":{"host":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"e2e-central-models-exempt-sub"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"b2b8345c-1a1e-42bb-8fa4-74f74d4105a3","selected_subscription":"e2e-central-models-exempt-sub","selected_subscription_key":"models-as-a-service/e2e-central-models-exempt-sub@llm/e2e-unconfigured-facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"837cce0f-ecfb-4db2-9bb7-5ce7f48950d8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:49500","PortSpecifier":{"PortValue":49500}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"47621f2a-902a-445d-aacf-04f1abc3d112","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:49500","PortSpecifier":{"PortValue":49500}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708257,"nanos":770949173},"http":{"id":"47621f2a-902a-445d-aacf-04f1abc3d112","method":"GET","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"api-key-valid","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"47621f2a-902a-445d-aacf-04f1abc3d112","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.50:51900","PortSpecifier":{"PortValue":51900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","method":"GET","path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/models","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.50:51900","PortSpecifier":{"PortValue":51900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708257,"nanos":776788006},"http":{"id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","method":"GET","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/e2e-unconfigured-facebook-opt-125m-simulated\",\"requestedSubscription\":\"e2e-central-models-exempt-sub\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","input":{"auth":{"identity":"Bearer **** with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true}}},"context":{"context_extensions":{"host":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-RhUQkennrVvA4NTB_OJgQh3lqhKekPYdWh9ajPfokZO9bF5ijnn2rOWGYZn0","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"e2e-unconfiab60ef4d3a239b5143b412cab04acac3-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.50","x-forwarded-proto":"https","x-maas-subscription":"e2e-central-models-exempt-sub","x-request-id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","method":"GET","path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":776788006,"seconds":1779708257},"url_path":"/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.50:51900","port":51900}}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"e2e-central-models-exempt-sub"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"b2b8345c-1a1e-42bb-8fa4-74f74d4105a3","selected_subscription":"e2e-central-models-exempt-sub","selected_subscription_key":"models-as-a-service/e2e-central-models-exempt-sub@llm/e2e-unconfigured-facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"modelRefs":[{"description":"MaaSModelRef with no auth policy or subscription — used to validate default-deny","display_name":"Unconfigured OPT 125M (E2E)","name":"e2e-unconfigured-facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":3,"window":"1m"}]}],"name":"e2e-central-models-exempt-sub","namespace":"models-as-a-service","phase":"Active","ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2c5b193a-36d9-4cef-94f4-90955f0aeea4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:19Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:19Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39"} {"level":"info","ts":"2026-05-25T11:24:19Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:19Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39"} {"level":"debug","ts":"2026-05-25T11:24:19Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cccb9f888be4be56e16cc32e380709be54a35972abf80517f8c40fc107282b39","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945"} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945"} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"aae65b7ddc0033e778bd82057b67fb5cd3e029782d6fd444ddefece908444945","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:20Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437"} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d81a415a9d6b7bd916041b26b5a288b98c3b5bc233efb3bb1e7ca74fc032a437","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-05-25T11:24:20Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:27Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:27Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:28Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"numHostsReady":"1/1","numIdentitySources":2,"numMetadataSources":2,"numAuthorizationPolicies":3,"numResponseItems":3,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:24:28Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:29922","PortSpecifier":{"PortValue":29922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:29922","PortSpecifier":{"PortValue":29922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708273,"nanos":441552738},"http":{"id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","tokenreview":{"name":""}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","config":{"Name":"openshift-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:default:tester-regular-user","uid":"6cd961c5-9124-4865-89e5-56327a116d72","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=fef997d1-72e5-44ae-8e7b-b4c524d6dda9"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"]}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=fef997d1-72e5-44ae-8e7b-b4c524d6dda9"]},"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"uid":"6cd961c5-9124-4865-89e5-56327a116d72","username":"system:serviceaccount:default:tester-regular-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","config":{"Name":"X-MaaS-Username-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.username"}}},"object":"system:serviceaccount:default:tester-regular-user"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","config":{"Name":"X-MaaS-Group-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.groups.@tostr"}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"]"} {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd13451e-f3b9-4284-a202-fb1ece0a4331","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f925fdb-8512-48eb-8516-bfc920d22927","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:20430","PortSpecifier":{"PortValue":20430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8f925fdb-8512-48eb-8516-bfc920d22927","method":"POST","path":"/llm/e2e-external-model/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f925fdb-8512-48eb-8516-bfc920d22927","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:20430","PortSpecifier":{"PortValue":20430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708273,"nanos":805343631},"http":{"id":"8f925fdb-8512-48eb-8516-bfc920d22927","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-external-model/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f925fdb-8512-48eb-8516-bfc920d22927","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f925fdb-8512-48eb-8516-bfc920d22927","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:9864","PortSpecifier":{"PortValue":9864}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","method":"POST","path":"/llm/e2e-external-model/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:9864","PortSpecifier":{"PortValue":9864}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708273,"nanos":828347884},"http":{"id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-external-model/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"83","content-type":"application/json","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"httpbin.org:443/*","x-envoy-external-address":"100.64.0.4","x-forwarded-for":"100.64.0.4","x-forwarded-proto":"https","x-request-id":"bc4705fc-8fc1-45e4-b680-236d9a90a875"},"path":"/llm/e2e-external-model/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"},"metadata_context":{}}} {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc4705fc-8fc1-45e4-b680-236d9a90a875","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:45546","PortSpecifier":{"PortValue":45546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bd1d6153-44ee-4381-9702-216d209ccfa4","method":"POST","path":"/llm/e2e-external-model/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:45546","PortSpecifier":{"PortValue":45546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708273,"nanos":851389905},"http":{"id":"bd1d6153-44ee-4381-9702-216d209ccfa4","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/e2e-external-model/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-FLloEYjfMQJkMv5F_HS2kkupuzDUUiO9AX58NCNvhMUFzIw82H8lybK0PyBL"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-FLloEYjfMQJkMv5F_HS2kkupuzDUUiO9AX58NCNvhMUFzIw82H8lybK0PyBL\"}"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:default\",\"system:authenticated\"],\"requestedModel\":\"llm/e2e-external-model\",\"requestedSubscription\":\"e2e-external-subscription\",\"username\":\"system:serviceaccount:default:tester-regular-user\"}"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"modelRefs":[{"name":"e2e-external-model","namespace":"llm","token_rate_limits":[{"limit":10000,"window":"1h"}]}],"name":"e2e-external-subscription","namespace":"models-as-a-service","phase":"Active","ready":true}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"e2e-external-subscription"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:default,system:authenticated","keyId":"67d66859-e7ff-4755-9996-a66bdcc60dfc","selected_subscription":"e2e-external-subscription","selected_subscription_key":"models-as-a-service/e2e-external-subscription@llm/e2e-external-model","subscription_error":"","subscription_error_message":"","subscription_info":{"modelRefs":[{"name":"e2e-external-model","namespace":"llm","token_rate_limits":[{"limit":10000,"window":"1h"}]}],"name":"e2e-external-subscription","namespace":"models-as-a-service","phase":"Active","ready":true},"userid":"system:serviceaccount:default:tester-regular-user"}} {"level":"info","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bd1d6153-44ee-4381-9702-216d209ccfa4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"error","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-05-25T11:24:36Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"],"numHostsReady":"1/1","numIdentitySources":0,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-05-25T11:24:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"info","ts":"2026-05-25T11:25:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/aaea927e1e37c0ebeb2c3974ee40df4c6800e3e311c62d17c070273cdcfebaeb"} {"level":"info","ts":"2026-05-25T11:25:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/8529f271698b5a3bc9025c33c0ecd15ded96a8c2fb76e9818941deb66b0dcc98"} {"level":"info","ts":"2026-05-25T11:25:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/1bc352d5e387b2430c796ef533893aa1a2ae117af03b4d40dccaf57df32193ae"} {"level":"info","ts":"2026-05-25T11:25:00Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/33e58f39cf4e0d944ce934a5018acdcfa74a705ab4b8890a72a2529f341cdcf4"} {"level":"info","ts":"2026-05-25T11:25:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-05-25T11:25:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/d127e164a8bca0cf424b571951b72a15565cdd1b6a3edcc64b640ecaf71b0c52"} {"level":"info","ts":"2026-05-25T11:25:12Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3174635d626d01417a9ea6e7e44f66ab5759eab01406d407db2e4b6e08e42016"} {"level":"info","ts":"2026-05-25T11:25:13Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63722","PortSpecifier":{"PortValue":63722}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63722","PortSpecifier":{"PortValue":63722}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":387107748},"http":{"id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","tokenreview":{"name":""}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","config":{"Name":"openshift-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:maas-admin:tester-admin-user","uid":"0a4a04de-93e2-4732-835b-3f9d7da0c386","groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=e2ea20db-4140-4656-9ec5-8c1f5aa48d4b"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"]}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=e2ea20db-4140-4656-9ec5-8c1f5aa48d4b"]},"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"uid":"0a4a04de-93e2-4732-835b-3f9d7da0c386","username":"system:serviceaccount:maas-admin:tester-admin-user"}}},"context":{"context_extensions":{"host":"d44d6970f0ac9b448c729a344c019166492f90c7945285882c656b64a6725911"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","authorization":"Bearer **** ****REDACTED_JWT****","content-length":"55","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"b6584eca-1926-4fd5-8e70-d32cc281a42d"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","method":"POST","path":"/maas-api/v1/api-keys","protocol":"HTTP/2","scheme":"https","time":{"nanos":387107748,"seconds":1779708315},"url_path":"/maas-api/v1/api-keys","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.3:63722","port":63722}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","config":{"Name":"X-MaaS-Username-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.username"}}},"object":"system:serviceaccount:maas-admin:tester-admin-user"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","config":{"Name":"X-MaaS-Group-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.groups.@tostr"}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"]"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6584eca-1926-4fd5-8e70-d32cc281a42d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5584","PortSpecifier":{"PortValue":5584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b635c17f-4e75-43c0-abde-e5569bfae86d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5584","PortSpecifier":{"PortValue":5584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":447251786},"http":{"id":"b635c17f-4e75-43c0-abde-e5569bfae86d","method":"GET","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","input":{"auth":{"identity":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"100.64.0.2","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.2","x-forwarded-proto":"https","x-request-id":"b635c17f-4e75-43c0-abde-e5569bfae86d"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"b635c17f-4e75-43c0-abde-e5569bfae86d","method":"GET","path":"/maas-api/v1/models","protocol":"HTTP/2","scheme":"https"},"time":{"nanos":447251786,"seconds":1779708315}},"source":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":5584},"address":"100.64.0.2:5584"}}}}},"destination":{"address":"10.133.0.27:443","port":443},"metadata":{},"request":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"api-key-valid","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b635c17f-4e75-43c0-abde-e5569bfae86d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.50:51900","PortSpecifier":{"PortValue":51900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.50:51900","PortSpecifier":{"PortValue":51900}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":455827012},"http":{"id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","method":"GET","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":455827012,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.50:51900","port":51900}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"960695ec-4aa7-4a3e-88c4-ea80e5e8b5e5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:10686","PortSpecifier":{"PortValue":10686}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:10686","PortSpecifier":{"PortValue":10686}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":511477106},"http":{"id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.4","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.4","x-forwarded-proto":"https","x-request-id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":511477106,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.4:10686","port":10686}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c977bf64-cbcf-4d58-8d78-b3e76dc443df","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46356","PortSpecifier":{"PortValue":46356}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46356","PortSpecifier":{"PortValue":46356}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":559241876},"http":{"id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":559241876,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.3:46356","port":46356}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb2cb147-3fd4-4985-b4a0-e05b4f97a513","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:47934","PortSpecifier":{"PortValue":47934}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"279648d7-ebc2-4251-aff6-9fd300489d31","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:47934","PortSpecifier":{"PortValue":47934}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":591120700},"http":{"id":"279648d7-ebc2-4251-aff6-9fd300489d31","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.4","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.4","x-forwarded-proto":"https","x-request-id":"279648d7-ebc2-4251-aff6-9fd300489d31"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"279648d7-ebc2-4251-aff6-9fd300489d31","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":591120700,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.4:47934","port":47934}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"279648d7-ebc2-4251-aff6-9fd300489d31","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5598","PortSpecifier":{"PortValue":5598}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5598","PortSpecifier":{"PortValue":5598}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":629201139},"http":{"id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.2","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.2","x-forwarded-proto":"https","x-request-id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":629201139,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.2:5598","port":5598}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9ca85e7-31a4-45c0-8d7a-e5a21d5317b0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"256c0984-d3d6-434f-8899-75356955205e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:39814","PortSpecifier":{"PortValue":39814}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"256c0984-d3d6-434f-8899-75356955205e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"256c0984-d3d6-434f-8899-75356955205e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:39814","PortSpecifier":{"PortValue":39814}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":660069445},"http":{"id":"256c0984-d3d6-434f-8899-75356955205e","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"256c0984-d3d6-434f-8899-75356955205e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"256c0984-d3d6-434f-8899-75356955205e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"256c0984-d3d6-434f-8899-75356955205e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.2","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.2","x-forwarded-proto":"https","x-request-id":"256c0984-d3d6-434f-8899-75356955205e"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"256c0984-d3d6-434f-8899-75356955205e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":660069445,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.2:39814","port":39814}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"256c0984-d3d6-434f-8899-75356955205e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"256c0984-d3d6-434f-8899-75356955205e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"256c0984-d3d6-434f-8899-75356955205e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63738","PortSpecifier":{"PortValue":63738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b1dd0bb9-811f-438b-9a47-639d5c148336","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63738","PortSpecifier":{"PortValue":63738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":690966638},"http":{"id":"b1dd0bb9-811f-438b-9a47-639d5c148336","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"b1dd0bb9-811f-438b-9a47-639d5c148336"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"b1dd0bb9-811f-438b-9a47-639d5c148336","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":690966638,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.3:63738","port":63738}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1dd0bb9-811f-438b-9a47-639d5c148336","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:10702","PortSpecifier":{"PortValue":10702}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:10702","PortSpecifier":{"PortValue":10702}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":719175362},"http":{"id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.4","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.4","x-forwarded-proto":"https","x-request-id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":719175362,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.4:10702","port":10702}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2ce83cc8-f8d7-4e47-87a4-b47a812eeffd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46360","PortSpecifier":{"PortValue":46360}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46360","PortSpecifier":{"PortValue":46360}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":747124084},"http":{"id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":747124084,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.3:46360","port":46360}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b97e1cfb-7b9d-4aa8-bc6b-9dac1cbf0ffd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:47940","PortSpecifier":{"PortValue":47940}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.4:47940","PortSpecifier":{"PortValue":47940}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":777910628},"http":{"id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.4","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.4","x-forwarded-proto":"https","x-request-id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":777910628,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.4:47940","port":47940}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a936d8f9-b5c3-4d92-ae39-cce3268f2d6e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:39830","PortSpecifier":{"PortValue":39830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:39830","PortSpecifier":{"PortValue":39830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":806862220},"http":{"id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.2","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.2","x-forwarded-proto":"https","x-request-id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":806862220,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.2:39830","port":39830}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"15283d52-9bb0-4f10-9e52-b57e8b5463eb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5602","PortSpecifier":{"PortValue":5602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.2:5602","PortSpecifier":{"PortValue":5602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":835164073},"http":{"id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"system:serviceaccount:maas-admin:tester-admin-user\"}"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","authorization":"Bearer **** sk-oai-1XRwQGBteuLfxj1Ht_rHa4EfLNOQ96MFRaT9I2ZjX4OBgfnGRv1S2Dur1gxWw","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.2","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.2","x-forwarded-proto":"https","x-request-id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","protocol":"HTTP/2","scheme":"https","time":{"nanos":835164073,"seconds":1779708315},"url_path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.2:5602","port":5602}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"# API key authentication: validate the key\nallow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\n\n# Kubernetes token authentication: check identity exists\nallow {\n object.get(input.auth.identity, \"user\", {}).username != \"\"\n}\n\n# OIDC token authentication: check JWT subject exists\nallow {\n object.get(input.auth.identity, \"sub\", \"\") != \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\n# Allowed groups and users from all MaaSAuthPolicies\nallowed_groups := [\"system:authenticated\"]\nallowed_users := []\n\n# Extract username from API key, OIDC, or K8s token\nusername := input.auth.metadata.apiKeyValidation.username\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n { object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n { object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n { object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\n# Extract groups from API key, OIDC, or K8s token\ngroups := input.auth.metadata.apiKeyValidation.groups\n { object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n { object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n { object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\n# Allow if user is in allowed users\nallow {\n username == allowed_users[_]\n}\n\n# Allow if any user group is in allowed groups\nallow {\n groups[_] == allowed_groups[_]\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\t# Subscription name must be present (selector succeeded)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\t# Error field must be empty (no validation errors from selector)\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\t# Allowlist: phase must be exactly \"Active\" or \"Degraded\" (reject empty/unreconciled)\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\t# Subscription must not be deleting\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"Authorization","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"authorization","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":"","Pattern":""}}},"object":""} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.username"}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{"Static":null,"Pattern":"auth.metadata.apiKeyValidation.keyId"}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"groups_str":"system:serviceaccounts,system:serviceaccounts:maas-admin,system:authenticated","keyId":"e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","namespace":"llm","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"system:serviceaccount:maas-admin:tester-admin-user"}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8b897426-bf06-49fb-a0aa-ffeb37f0067b","authorized":true,"response":"OK"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46376","PortSpecifier":{"PortValue":46376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:46376","PortSpecifier":{"PortValue":46376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":864061214},"http":{"id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","method":"POST","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","content-length":"100","content-type":"application/json","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682"},"path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/2"}},"context_extensions":{"host":"5aa0fd746a1cbe4557cf771f0b5f5c4020da5a6444c58d701a6d039232d7faab"},"metadata_context":{}}} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c14fdb8-dc47-4054-aaf6-f2acb19b2682","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63740","PortSpecifier":{"PortValue":63740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","method":"DELETE","path":"/maas-api/v1/api-keys/e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"100.64.0.3:63740","PortSpecifier":{"PortValue":63740}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.27:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1779708315,"nanos":888392097},"http":{"id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","method":"DELETE","headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a",":scheme":"https","accept":"*/*","authorization":"Bearer **** {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","tokenreview":{"name":""}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","config":{"Name":"openshift-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"authenticated":true,"user":{"username":"system:serviceaccount:maas-admin:tester-admin-user","uid":"0a4a04de-93e2-4732-835b-3f9d7da0c386","groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["JTI=e2ea20db-4140-4656-9ec5-8c1f5aa48d4b"]}},"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"]}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","input":{"auth":{"identity":{"audiences":["https://prod-eaas-bucket.s3.us-east-1.amazonaws.com/3c6ed0480c51"],"authenticated":true,"user":{"extra":{"authentication.kubernetes.io/credential-id":["JTI=e2ea20db-4140-4656-9ec5-8c1f5aa48d4b"]},"groups":["system:serviceaccounts","system:serviceaccounts:maas-admin","system:authenticated"],"uid":"0a4a04de-93e2-4732-835b-3f9d7da0c386","username":"system:serviceaccount:maas-admin:tester-admin-user"}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.27:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a",":scheme":"https","accept":"*/*","authorization":"Bearer **** ****REDACTED_JWT****","user-agent":"curl/7.76.1","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"100.64.0.3","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC03ZDZmNDQ3Y2Y1LXdsdzR4CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.27~maas-default-gateway-openshift-default-7d6f447cf5-wlw4x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"100.64.0.3","x-forwarded-proto":"https","x-request-id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a"},"host":"maas.apps.f079999e-d19a-4ad0-b905-3c6ed0480c51.prod.konfluxeaas.com","id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","method":"DELETE","path":"/maas-api/v1/api-keys/e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","protocol":"HTTP/2","scheme":"https","time":{"nanos":888392097,"seconds":1779708315},"url_path":"/maas-api/v1/api-keys/e7cc8fd9-5e70-4bc5-8e02-c1a3f9a0a63a","user_agent":"curl/7.76.1"},"source":{"address":"100.64.0.3:63740","port":63740}}} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","config":{"Name":"X-MaaS-Group-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.groups.@tostr"}}},"object":"[\"system:serviceaccounts\",\"system:serviceaccounts:maas-admin\",\"system:authenticated\"]"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","config":{"Name":"X-MaaS-Username-OC","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{"Static":null,"Pattern":"auth.identity.user.username"}}},"object":"system:serviceaccount:maas-admin:tester-admin-user"} {"level":"info","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-05-25T11:25:15Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"555baffa-d6f8-407d-9094-adc7f6f6cd6a","authorized":true,"response":"OK"}