{"level":"info","ts":"2026-06-11T15:59:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:59:54Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"debug","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-11T15:59:54Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60742","PortSpecifier":{"PortValue":60742}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60742","PortSpecifier":{"PortValue":60742}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193622,"nanos":332148074},"http":{"id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193922,"groups":["Engineering","Project-Alpha"],"iat":1781193622,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:15632963-9031-389a-fcd1-562838eb052e","preferred_username":"alice_lead","scope":"email profile","sid":"H5DHr3tQ8QdnJ7rg1wbO8dma","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193922,"groups":["Engineering","Project-Alpha"],"iat":1781193622,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:15632963-9031-389a-fcd1-562838eb052e","preferred_username":"alice_lead","scope":"email profile","sid":"H5DHr3tQ8QdnJ7rg1wbO8dma","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86dc84e8-7bb0-46ae-bd7e-119e30a24bf3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3d44906-1955-421c-be2f-f86500709eaf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60754","PortSpecifier":{"PortValue":60754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f3d44906-1955-421c-be2f-f86500709eaf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3d44906-1955-421c-be2f-f86500709eaf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60754","PortSpecifier":{"PortValue":60754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193622,"nanos":449315397},"http":{"id":"f3d44906-1955-421c-be2f-f86500709eaf","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f3d44906-1955-421c-be2f-f86500709eaf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"f3d44906-1955-421c-be2f-f86500709eaf","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f3d44906-1955-421c-be2f-f86500709eaf","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3d44906-1955-421c-be2f-f86500709eaf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3d44906-1955-421c-be2f-f86500709eaf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d79a7094-7522-4a27-8890-5509800f4ef6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60770","PortSpecifier":{"PortValue":60770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d79a7094-7522-4a27-8890-5509800f4ef6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d79a7094-7522-4a27-8890-5509800f4ef6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60770","PortSpecifier":{"PortValue":60770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193622,"nanos":495105950},"http":{"id":"d79a7094-7522-4a27-8890-5509800f4ef6","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.15","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.15","x-forwarded-host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"d79a7094-7522-4a27-8890-5509800f4ef6"},"path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d79a7094-7522-4a27-8890-5509800f4ef6","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d79a7094-7522-4a27-8890-5509800f4ef6","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d79a7094-7522-4a27-8890-5509800f4ef6","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60774","PortSpecifier":{"PortValue":60774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60774","PortSpecifier":{"PortValue":60774}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193622,"nanos":519299910},"http":{"id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.15","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.15","x-forwarded-host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b"},"path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a90291c8-bd00-4fdb-9e61-758b1cb3597b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"89a518a1-a90d-422e-a664-907986f95aa9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60776","PortSpecifier":{"PortValue":60776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"89a518a1-a90d-422e-a664-907986f95aa9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"89a518a1-a90d-422e-a664-907986f95aa9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60776","PortSpecifier":{"PortValue":60776}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193622,"nanos":869817994},"http":{"id":"89a518a1-a90d-422e-a664-907986f95aa9","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193922,"groups":["Site-Reliability"],"iat":1781193622,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:50b4eb1e-e848-1a2e-c91f-b7f20d51d7fd","preferred_username":"bob_sre","scope":"email profile","sid":"MBmpZGDxvPO9vMs50UAZK3xA","sub":"c918aeb1-3487-432f-b5a6-f0560899ab05","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"89a518a1-a90d-422e-a664-907986f95aa9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193922,"groups":["Site-Reliability"],"iat":1781193622,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:50b4eb1e-e848-1a2e-c91f-b7f20d51d7fd","preferred_username":"bob_sre","scope":"email profile","sid":"MBmpZGDxvPO9vMs50UAZK3xA","sub":"c918aeb1-3487-432f-b5a6-f0560899ab05","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"89a518a1-a90d-422e-a664-907986f95aa9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"89a518a1-a90d-422e-a664-907986f95aa9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"89a518a1-a90d-422e-a664-907986f95aa9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"57746ed1-66d3-4418-868c-8c3c45782498","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60788","PortSpecifier":{"PortValue":60788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"57746ed1-66d3-4418-868c-8c3c45782498","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"57746ed1-66d3-4418-868c-8c3c45782498","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60788","PortSpecifier":{"PortValue":60788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":85877663},"http":{"id":"57746ed1-66d3-4418-868c-8c3c45782498","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a78eb63f-c560-e1a2-bbf1-8ec3128aa32a","preferred_username":"alice_lead","scope":"email profile","sid":"LKlyc-pI133NNgC9sQ-w6Vp5","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"57746ed1-66d3-4418-868c-8c3c45782498","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a78eb63f-c560-e1a2-bbf1-8ec3128aa32a","preferred_username":"alice_lead","scope":"email profile","sid":"LKlyc-pI133NNgC9sQ-w6Vp5","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"57746ed1-66d3-4418-868c-8c3c45782498","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"57746ed1-66d3-4418-868c-8c3c45782498","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"57746ed1-66d3-4418-868c-8c3c45782498","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60800","PortSpecifier":{"PortValue":60800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ba78931d-822c-4152-8a80-3f871db42fa7","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60800","PortSpecifier":{"PortValue":60800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":116818917},"http":{"id":"ba78931d-822c-4152-8a80-3f871db42fa7","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT\"}"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba78931d-822c-4152-8a80-3f871db42fa7","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"13de137c-3079-4026-bba8-ab527eb57bde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"13de137c-3079-4026-bba8-ab527eb57bde","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"13de137c-3079-4026-bba8-ab527eb57bde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":133862564},"http":{"id":"13de137c-3079-4026-bba8-ab527eb57bde","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT\"}"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"13de137c-3079-4026-bba8-ab527eb57bde","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"13de137c-3079-4026-bba8-ab527eb57bde"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"13de137c-3079-4026-bba8-ab527eb57bde","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":133862564,"seconds":1781193623},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.31:58368","port":58368}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"13de137c-3079-4026-bba8-ab527eb57bde","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f1529859-380f-4172-a454-a2ac0deaad8e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"13de137c-3079-4026-bba8-ab527eb57bde","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"13de137c-3079-4026-bba8-ab527eb57bde","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60802","PortSpecifier":{"PortValue":60802}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60802","PortSpecifier":{"PortValue":60802}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":172196151},"http":{"id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-xgv2SIqnL6KhAs4o_6dmQb94o12515p3ZKkV6souPNYfZILv0WTfJK9Hj8dT\"}"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f1529859-380f-4172-a454-a2ac0deaad8e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4aa66c41-2bd0-44c9-b86d-c4f58c30d2bd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60812","PortSpecifier":{"PortValue":60812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60812","PortSpecifier":{"PortValue":60812}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":278879842},"http":{"id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b0fc44b9-dc50-6f1b-8666-c968def09b4b","preferred_username":"alice_lead","scope":"email profile","sid":"yzAxeb6bX_s70u4fZkxIOoHv","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b0fc44b9-dc50-6f1b-8666-c968def09b4b","preferred_username":"alice_lead","scope":"email profile","sid":"yzAxeb6bX_s70u4fZkxIOoHv","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1d2f3d8-c1e5-4512-abf2-0f41df7dc7d9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"804e011f-3e74-4157-a075-203e52a23285","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60820","PortSpecifier":{"PortValue":60820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"804e011f-3e74-4157-a075-203e52a23285","method":"DELETE","path":"/maas-api/v1/api-keys/7c1eb56b-f5a7-46c5-8055-d298fe5ceede","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"804e011f-3e74-4157-a075-203e52a23285","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:60820","PortSpecifier":{"PortValue":60820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193623,"nanos":312208985},"http":{"id":"804e011f-3e74-4157-a075-203e52a23285","method":"DELETE","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/7c1eb56b-f5a7-46c5-8055-d298fe5ceede",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b0fc44b9-dc50-6f1b-8666-c968def09b4b","preferred_username":"alice_lead","scope":"email profile","sid":"yzAxeb6bX_s70u4fZkxIOoHv","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"804e011f-3e74-4157-a075-203e52a23285","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193923,"groups":["Engineering","Project-Alpha"],"iat":1781193623,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b0fc44b9-dc50-6f1b-8666-c968def09b4b","preferred_username":"alice_lead","scope":"email profile","sid":"yzAxeb6bX_s70u4fZkxIOoHv","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/7c1eb56b-f5a7-46c5-8055-d298fe5ceede",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"804e011f-3e74-4157-a075-203e52a23285","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"804e011f-3e74-4157-a075-203e52a23285","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"804e011f-3e74-4157-a075-203e52a23285","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47804","PortSpecifier":{"PortValue":47804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5b3212ef-2448-4b06-b42e-1551c391786b","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47804","PortSpecifier":{"PortValue":47804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":348855254},"http":{"id":"5b3212ef-2448-4b06-b42e-1551c391786b","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1HeG7ziEHrYD7SCsc_RPv2V7Cgo9ZKvaaKxWWuexh7FPCAftvP0qskdlgLng9"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1HeG7ziEHrYD7SCsc_RPv2V7Cgo9ZKvaaKxWWuexh7FPCAftvP0qskdlgLng9\"}"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5b3212ef-2448-4b06-b42e-1551c391786b","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47816","PortSpecifier":{"PortValue":47816}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"75333edd-6b84-4e14-9c85-527e300db7d6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47816","PortSpecifier":{"PortValue":47816}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":477413796},"http":{"id":"75333edd-6b84-4e14-9c85-527e300db7d6","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75333edd-6b84-4e14-9c85-527e300db7d6","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"825e9b16-d295-48c6-914a-003c678cbeac","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47818","PortSpecifier":{"PortValue":47818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"825e9b16-d295-48c6-914a-003c678cbeac","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"825e9b16-d295-48c6-914a-003c678cbeac","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47818","PortSpecifier":{"PortValue":47818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":644879378},"http":{"id":"825e9b16-d295-48c6-914a-003c678cbeac","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:54663dbc-c9e0-ce39-fa8c-b1192f329bd9","preferred_username":"alice_lead","scope":"email profile","sid":"Z468yoa77RehENjSfBsXR_2s","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"825e9b16-d295-48c6-914a-003c678cbeac","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:54663dbc-c9e0-ce39-fa8c-b1192f329bd9","preferred_username":"alice_lead","scope":"email profile","sid":"Z468yoa77RehENjSfBsXR_2s","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"825e9b16-d295-48c6-914a-003c678cbeac","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"825e9b16-d295-48c6-914a-003c678cbeac","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"825e9b16-d295-48c6-914a-003c678cbeac","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47834","PortSpecifier":{"PortValue":47834}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47834","PortSpecifier":{"PortValue":47834}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":675915380},"http":{"id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Site-Reliability"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:03a88186-cd3a-ada4-47a0-f5c3834e5d12","preferred_username":"bob_sre","scope":"email profile","sid":"LAY1qbmKpZF4inNIhPnf-crm","sub":"c918aeb1-3487-432f-b5a6-f0560899ab05","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Site-Reliability"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:03a88186-cd3a-ada4-47a0-f5c3834e5d12","preferred_username":"bob_sre","scope":"email profile","sid":"LAY1qbmKpZF4inNIhPnf-crm","sub":"c918aeb1-3487-432f-b5a6-f0560899ab05","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"301fe66b-b57a-480b-ba9c-fd28a2297b84","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47842","PortSpecifier":{"PortValue":47842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47842","PortSpecifier":{"PortValue":47842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":768065271},"http":{"id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f88f2b4e-cafb-46a1-8321-5e04343b32c3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47848","PortSpecifier":{"PortValue":47848}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","method":"DELETE","path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47848","PortSpecifier":{"PortValue":47848}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":800181323},"http":{"id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","method":"DELETE","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b9125ed4-4d07-4dd0-86dc-ba50d8906dc9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47862","PortSpecifier":{"PortValue":47862}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","method":"DELETE","path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47862","PortSpecifier":{"PortValue":47862}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":830727273},"http":{"id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","method":"DELETE","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f12e6c7c-6eb4-eea6-bb5c-ccaa5f942b93","preferred_username":"alice_lead","scope":"email profile","sid":"-YA1Ax7NWyASUZaGq-IuIwft","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/120725ed-89f3-4d50-bb23-eb494e5f9cf7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"77ce84f9-2d95-4831-a59d-0a42ba66c6fa","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47874","PortSpecifier":{"PortValue":47874}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7f1aa483-823d-442c-a362-23dbde90a6bb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47874","PortSpecifier":{"PortValue":47874}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":920339572},"http":{"id":"7f1aa483-823d-442c-a362-23dbde90a6bb","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7d6e233-8d4e-56d2-e41e-08f1cf374448","preferred_username":"alice_lead","scope":"email profile","sid":"xMrjdWTq1A1qub-mZbrBKHqO","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193926,"groups":["Engineering","Project-Alpha"],"iat":1781193626,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7d6e233-8d4e-56d2-e41e-08f1cf374448","preferred_username":"alice_lead","scope":"email profile","sid":"xMrjdWTq1A1qub-mZbrBKHqO","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f1aa483-823d-442c-a362-23dbde90a6bb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47882","PortSpecifier":{"PortValue":47882}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47882","PortSpecifier":{"PortValue":47882}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":949367833},"http":{"id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-njKcFJQoYvII0vk9_JTKMpHIKIuCQ2FUtGQiaJCnSPVLLr459qEOzEGrl8nC"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-njKcFJQoYvII0vk9_JTKMpHIKIuCQ2FUtGQiaJCnSPVLLr459qEOzEGrl8nC\"}"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"de2f3d3c-6a45-4cee-b1a4-382398e25ab2","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193626,"nanos":956185222},"http":{"id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-njKcFJQoYvII0vk9_JTKMpHIKIuCQ2FUtGQiaJCnSPVLLr459qEOzEGrl8nC"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-njKcFJQoYvII0vk9_JTKMpHIKIuCQ2FUtGQiaJCnSPVLLr459qEOzEGrl8nC\"}"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-njKcFJQoYvII0vk9_JTKMpHIKIuCQ2FUtGQiaJCnSPVLLr459qEOzEGrl8nC","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":956185222,"seconds":1781193626},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.31:58368","port":58368}}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ddc9df7c-e05f-43af-8c3e-8b4688b562a4","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c6742dd-c140-4d9c-ad17-d12bb6832ddb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47898","PortSpecifier":{"PortValue":47898}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47898","PortSpecifier":{"PortValue":47898}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":48482442},"http":{"id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c829a1c5-ef2d-6a2d-322c-8e8414bc0df7","preferred_username":"alice_lead","scope":"email profile","sid":"Iy0j9dORNlMfgGaoGcK241pY","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c829a1c5-ef2d-6a2d-322c-8e8414bc0df7","preferred_username":"alice_lead","scope":"email profile","sid":"Iy0j9dORNlMfgGaoGcK241pY","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b662552a-f23d-4c01-bc80-711fbfe96b7d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47904","PortSpecifier":{"PortValue":47904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47904","PortSpecifier":{"PortValue":47904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":80022044},"http":{"id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9bfbe0e-9c44-46b6-9e4d-77d69ca48c37","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47918","PortSpecifier":{"PortValue":47918}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47918","PortSpecifier":{"PortValue":47918}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":107354892},"http":{"id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5f2fe9b6-feff-4a9f-afcd-cf5aca08241c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"02258204-dbc5-4547-b920-c953cc5fa7a6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":113729929},"http":{"id":"02258204-dbc5-4547-b920-c953cc5fa7a6","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1os7a6tQSfBIYOJa_C6ecJQf1pU37KkwLw55u7djsj8Ko9NQUwrVE1A1SUcj","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"02258204-dbc5-4547-b920-c953cc5fa7a6"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"02258204-dbc5-4547-b920-c953cc5fa7a6","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":113729929,"seconds":1781193627},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.31:58368","port":58368}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7384bc6e-4397-40e4-aace-98170eeaa1fe","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"02258204-dbc5-4547-b920-c953cc5fa7a6","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47922","PortSpecifier":{"PortValue":47922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47922","PortSpecifier":{"PortValue":47922}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":208826817},"http":{"id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d24c393-6633-712f-648b-bee2b3180859","preferred_username":"alice_lead","scope":"email profile","sid":"FNxJjMY21zz3WPb4eey4yoQg","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5d24c393-6633-712f-648b-bee2b3180859","preferred_username":"alice_lead","scope":"email profile","sid":"FNxJjMY21zz3WPb4eey4yoQg","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f41bf48-7cab-4f39-92a5-ccbe202b130e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47934","PortSpecifier":{"PortValue":47934}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47934","PortSpecifier":{"PortValue":47934}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":239268469},"http":{"id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"44d86050-9390-4e10-bc68-a95cbfdbbd91","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7737748c-157f-40ca-b0f0-fbf383829509","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7737748c-157f-40ca-b0f0-fbf383829509","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7737748c-157f-40ca-b0f0-fbf383829509","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":246099899},"http":{"id":"7737748c-157f-40ca-b0f0-fbf383829509","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7737748c-157f-40ca-b0f0-fbf383829509","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"7737748c-157f-40ca-b0f0-fbf383829509"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"7737748c-157f-40ca-b0f0-fbf383829509","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":246099899,"seconds":1781193627},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.31:58368","port":58368}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7737748c-157f-40ca-b0f0-fbf383829509","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"5a56f9b3-3973-4527-8dc0-9ecda6e29fb0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7737748c-157f-40ca-b0f0-fbf383829509","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7737748c-157f-40ca-b0f0-fbf383829509","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47950","PortSpecifier":{"PortValue":47950}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47950","PortSpecifier":{"PortValue":47950}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":282422694},"http":{"id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","method":"GET","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aef3d826-6d59-44f4-a0e7-8e5f35149c38","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:58368","PortSpecifier":{"PortValue":58368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":288942068},"http":{"id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-79kJM81BSypor2Z8_b0Ib8InTGhZAeClYV11ZuTmyG6eaeTUB97BGkmEjvMF","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGNzZGsKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.46~maas-default-gateway-openshift-default-687ff6996-tcsdk.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":288942068,"seconds":1781193627},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.31:58368","port":58368}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"5a56f9b3-3973-4527-8dc0-9ecda6e29fb0","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cf6d9b7d-4e9d-418d-bb24-2685de3fc238","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47960","PortSpecifier":{"PortValue":47960}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:47960","PortSpecifier":{"PortValue":47960}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.46:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781193627,"nanos":384130315},"http":{"id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","method":"POST","headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f9430f95-cc07-5eac-2ff3-2f47455eaa8b","preferred_username":"alice_lead","scope":"email profile","sid":"x2eX3RBaui3qVpWtEhuiIdBb","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781193927,"groups":["Engineering","Project-Alpha"],"iat":1781193627,"iss":"https://keycloak.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f9430f95-cc07-5eac-2ff3-2f47455eaa8b","preferred_username":"alice_lead","scope":"email profile","sid":"x2eX3RBaui3qVpWtEhuiIdBb","sub":"f9b798af-33a9-4138-91ed-d87db85c2899","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.46:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.0fa2c7de-5e3d-4367-9d71-0b0771b1c7ed.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-11T16:00:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"915e961c-ba4a-49d7-a8c8-826aabee1d4e","authorized":true,"response":"OK"}