{"level":"info","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:09:38Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:09:38Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:09:38Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"error","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:09:39Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"error","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:09:39Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58966","PortSpecifier":{"PortValue":58966}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58966","PortSpecifier":{"PortValue":58966}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190617,"nanos":606061917},"http":{"id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190917,"groups":["Engineering","Project-Alpha"],"iat":1781190617,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e94e4fd-36e7-1737-6a2b-a2f1a32a9714","preferred_username":"alice_lead","scope":"email profile","sid":"5eppLrgpsfVrMbBI6ePLRNEM","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190917,"groups":["Engineering","Project-Alpha"],"iat":1781190617,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8e94e4fd-36e7-1737-6a2b-a2f1a32a9714","preferred_username":"alice_lead","scope":"email profile","sid":"5eppLrgpsfVrMbBI6ePLRNEM","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a25ec7de-1e95-4c33-ac1b-7a12324b88f3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"143e2f12-606d-4440-931e-88767a28e24c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58976","PortSpecifier":{"PortValue":58976}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"143e2f12-606d-4440-931e-88767a28e24c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"143e2f12-606d-4440-931e-88767a28e24c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58976","PortSpecifier":{"PortValue":58976}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190617,"nanos":746400139},"http":{"id":"143e2f12-606d-4440-931e-88767a28e24c","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"143e2f12-606d-4440-931e-88767a28e24c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"143e2f12-606d-4440-931e-88767a28e24c","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"143e2f12-606d-4440-931e-88767a28e24c","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"143e2f12-606d-4440-931e-88767a28e24c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"143e2f12-606d-4440-931e-88767a28e24c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58988","PortSpecifier":{"PortValue":58988}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58988","PortSpecifier":{"PortValue":58988}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190617,"nanos":808752884},"http":{"id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.133.0.11","x-forwarded-host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"fed72540-2da3-4ba1-a2e4-fb74887836b5"},"path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fed72540-2da3-4ba1-a2e4-fb74887836b5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58998","PortSpecifier":{"PortValue":58998}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:58998","PortSpecifier":{"PortValue":58998}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190617,"nanos":843347328},"http":{"id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.133.0.11","x-forwarded-host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7"},"path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:10:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4d0adf7c-72e8-4e2e-8d7c-63bd8cef8be7","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59006","PortSpecifier":{"PortValue":59006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59006","PortSpecifier":{"PortValue":59006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":244258543},"http":{"id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Site-Reliability"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9a8f99b3-11c7-7b16-76fd-4a0d96d97cba","preferred_username":"bob_sre","scope":"email profile","sid":"NsagvM2WrU0FC8wRzX7xfZii","sub":"36e28809-e631-4920-8a68-c991f8abb568","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Site-Reliability"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9a8f99b3-11c7-7b16-76fd-4a0d96d97cba","preferred_username":"bob_sre","scope":"email profile","sid":"NsagvM2WrU0FC8wRzX7xfZii","sub":"36e28809-e631-4920-8a68-c991f8abb568","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7d3b0649-40b8-40f3-b240-5cf6cd4bf12c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59010","PortSpecifier":{"PortValue":59010}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59010","PortSpecifier":{"PortValue":59010}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":482225922},"http":{"id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7e8a2f45-afc3-3b99-4c5e-73f5a5c9e980","preferred_username":"alice_lead","scope":"email profile","sid":"TVaWquXfG1_pvW5YkG5bjAAK","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7e8a2f45-afc3-3b99-4c5e-73f5a5c9e980","preferred_username":"alice_lead","scope":"email profile","sid":"TVaWquXfG1_pvW5YkG5bjAAK","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f6f7ca86-4cd3-40a8-b1d1-16b2db49e8a3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e40f040-81c7-495e-9e62-849181451b75","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59018","PortSpecifier":{"PortValue":59018}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0e40f040-81c7-495e-9e62-849181451b75","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e40f040-81c7-495e-9e62-849181451b75","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59018","PortSpecifier":{"PortValue":59018}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":518450442},"http":{"id":"0e40f040-81c7-495e-9e62-849181451b75","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P\"}"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0e40f040-81c7-495e-9e62-849181451b75","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e40f040-81c7-495e-9e62-849181451b75","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e40f040-81c7-495e-9e62-849181451b75","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e40f040-81c7-495e-9e62-849181451b75","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a9358b5a-bd80-4110-b798-5458decc30ed","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":529002341},"http":{"id":"a9358b5a-bd80-4110-b798-5458decc30ed","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P\"}"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a9358b5a-bd80-4110-b798-5458decc30ed"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a9358b5a-bd80-4110-b798-5458decc30ed","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":529002341,"seconds":1781190618},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:40682","port":40682}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9487fd0a-1a35-4eef-a218-5a8550be8c01","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a9358b5a-bd80-4110-b798-5458decc30ed","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59028","PortSpecifier":{"PortValue":59028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59028","PortSpecifier":{"PortValue":59028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":568273976},"http":{"id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1epCajSiQecvi1Cju_saOXzoZT61hXPFy0EieKyLNzFP4Et5Goa4dy8duin7P\"}"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9487fd0a-1a35-4eef-a218-5a8550be8c01","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b05aedd1-b9ec-4b7c-b1da-7ac6d4d91ee9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59036","PortSpecifier":{"PortValue":59036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59036","PortSpecifier":{"PortValue":59036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":684653775},"http":{"id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:deaaac94-a3e8-297b-2d62-41bd3e8415de","preferred_username":"alice_lead","scope":"email profile","sid":"pQliSRg3XfYevUo7iR29hS-C","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:deaaac94-a3e8-297b-2d62-41bd3e8415de","preferred_username":"alice_lead","scope":"email profile","sid":"pQliSRg3XfYevUo7iR29hS-C","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae62df9b-f5a6-4f62-aad9-c543a71b0530","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59050","PortSpecifier":{"PortValue":59050}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"32f7d126-08fe-4713-8a7b-a913a4499428","method":"DELETE","path":"/maas-api/v1/api-keys/0ec59366-b2ba-4e8e-aa5e-533a440bb80a","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:59050","PortSpecifier":{"PortValue":59050}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190618,"nanos":724047978},"http":{"id":"32f7d126-08fe-4713-8a7b-a913a4499428","method":"DELETE","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0ec59366-b2ba-4e8e-aa5e-533a440bb80a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:deaaac94-a3e8-297b-2d62-41bd3e8415de","preferred_username":"alice_lead","scope":"email profile","sid":"pQliSRg3XfYevUo7iR29hS-C","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190918,"groups":["Engineering","Project-Alpha"],"iat":1781190618,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:deaaac94-a3e8-297b-2d62-41bd3e8415de","preferred_username":"alice_lead","scope":"email profile","sid":"pQliSRg3XfYevUo7iR29hS-C","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0ec59366-b2ba-4e8e-aa5e-533a440bb80a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"32f7d126-08fe-4713-8a7b-a913a4499428","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45112","PortSpecifier":{"PortValue":45112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45112","PortSpecifier":{"PortValue":45112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190621,"nanos":765392733},"http":{"id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hAYJsTqilxkpEukJ_kWHZ7yXNEJxbsNQJk5Btbz8f63e5Eyi6sIkSkPzEMjf"} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hAYJsTqilxkpEukJ_kWHZ7yXNEJxbsNQJk5Btbz8f63e5Eyi6sIkSkPzEMjf\"}"} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"889ac702-783f-4dc5-a11c-2fc4a7480be0","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12491fcb-2820-412c-a275-827327bd42cd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45128","PortSpecifier":{"PortValue":45128}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"12491fcb-2820-412c-a275-827327bd42cd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12491fcb-2820-412c-a275-827327bd42cd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45128","PortSpecifier":{"PortValue":45128}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190621,"nanos":911978091},"http":{"id":"12491fcb-2820-412c-a275-827327bd42cd","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12491fcb-2820-412c-a275-827327bd42cd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"12491fcb-2820-412c-a275-827327bd42cd","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12491fcb-2820-412c-a275-827327bd42cd","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"12491fcb-2820-412c-a275-827327bd42cd","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:10:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"12491fcb-2820-412c-a275-827327bd42cd","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45134","PortSpecifier":{"PortValue":45134}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45134","PortSpecifier":{"PortValue":45134}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":84249591},"http":{"id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190921,"groups":["Engineering","Project-Alpha"],"iat":1781190621,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:12e83fb5-f2f6-566e-b0c8-029f19fb780d","preferred_username":"alice_lead","scope":"email profile","sid":"sCQlCceC51wUL5yFuSRuwsRu","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190921,"groups":["Engineering","Project-Alpha"],"iat":1781190621,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:12e83fb5-f2f6-566e-b0c8-029f19fb780d","preferred_username":"alice_lead","scope":"email profile","sid":"sCQlCceC51wUL5yFuSRuwsRu","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bc9e12dc-f072-4b5a-8857-f38fe08ea53d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45142","PortSpecifier":{"PortValue":45142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cedbf8af-d33f-4db1-b65d-4719e9425328","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45142","PortSpecifier":{"PortValue":45142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":122164818},"http":{"id":"cedbf8af-d33f-4db1-b65d-4719e9425328","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Site-Reliability"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aa56f60f-8338-2184-85b0-75abe601af6a","preferred_username":"bob_sre","scope":"email profile","sid":"oG5-OQ3AgElWwRIWXzquYrKP","sub":"36e28809-e631-4920-8a68-c991f8abb568","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Site-Reliability"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aa56f60f-8338-2184-85b0-75abe601af6a","preferred_username":"bob_sre","scope":"email profile","sid":"oG5-OQ3AgElWwRIWXzquYrKP","sub":"36e28809-e631-4920-8a68-c991f8abb568","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cedbf8af-d33f-4db1-b65d-4719e9425328","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45152","PortSpecifier":{"PortValue":45152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45152","PortSpecifier":{"PortValue":45152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":223460609},"http":{"id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3447f639-fdb2-4dc7-b8fa-65b0641609df","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45158","PortSpecifier":{"PortValue":45158}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","method":"DELETE","path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45158","PortSpecifier":{"PortValue":45158}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":258857362},"http":{"id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","method":"DELETE","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"835e0734-fe61-4ccc-ab30-9a2b36b074d2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45170","PortSpecifier":{"PortValue":45170}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","method":"DELETE","path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45170","PortSpecifier":{"PortValue":45170}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":290006086},"http":{"id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","method":"DELETE","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ffee9d81-a7db-ce95-8964-5a2f942d5d7b","preferred_username":"alice_lead","scope":"email profile","sid":"TTRvXpVO5g_tZzH9KTbcCzGq","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/61b62cea-c862-4098-8a69-4dfad57619e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c33a06d-d239-49ed-97fc-a7d858a8b53e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45172","PortSpecifier":{"PortValue":45172}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"379fefbe-bd53-4748-97fa-c8826e0001ed","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45172","PortSpecifier":{"PortValue":45172}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":396978624},"http":{"id":"379fefbe-bd53-4748-97fa-c8826e0001ed","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3dd4a058-c9ca-d941-6b61-47941db96057","preferred_username":"alice_lead","scope":"email profile","sid":"JSwtJ2bLwibtPn4VItLwWck1","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3dd4a058-c9ca-d941-6b61-47941db96057","preferred_username":"alice_lead","scope":"email profile","sid":"JSwtJ2bLwibtPn4VItLwWck1","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"379fefbe-bd53-4748-97fa-c8826e0001ed","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45182","PortSpecifier":{"PortValue":45182}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45182","PortSpecifier":{"PortValue":45182}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":431034473},"http":{"id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-a2pv2QDuijXsxQaS_U1LcbKD2knN7XIu7CQJ7UMRjGGANLJ66i0KPCsNKkAU"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-a2pv2QDuijXsxQaS_U1LcbKD2knN7XIu7CQJ7UMRjGGANLJ66i0KPCsNKkAU\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9f222be3-c9d9-41e4-82e1-050d44a3b6d9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b1eb58ba-3547-4379-9e76-ea7162932957","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":437991143},"http":{"id":"b1eb58ba-3547-4379-9e76-ea7162932957","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-a2pv2QDuijXsxQaS_U1LcbKD2knN7XIu7CQJ7UMRjGGANLJ66i0KPCsNKkAU"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-a2pv2QDuijXsxQaS_U1LcbKD2knN7XIu7CQJ7UMRjGGANLJ66i0KPCsNKkAU\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-a2pv2QDuijXsxQaS_U1LcbKD2knN7XIu7CQJ7UMRjGGANLJ66i0KPCsNKkAU","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"b1eb58ba-3547-4379-9e76-ea7162932957"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"b1eb58ba-3547-4379-9e76-ea7162932957","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":437991143,"seconds":1781190622},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:40682","port":40682}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9a44b4e0-09b3-4fca-bb29-63c5f4f3a25d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1eb58ba-3547-4379-9e76-ea7162932957","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45188","PortSpecifier":{"PortValue":45188}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45188","PortSpecifier":{"PortValue":45188}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":539715183},"http":{"id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8b188d7-ec36-dd5d-b3ad-58d9d7f96c8d","preferred_username":"alice_lead","scope":"email profile","sid":"nZJhGWbiF8DknmY4EGunVX-k","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8b188d7-ec36-dd5d-b3ad-58d9d7f96c8d","preferred_username":"alice_lead","scope":"email profile","sid":"nZJhGWbiF8DknmY4EGunVX-k","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c1a9d61f-e3ef-49c0-8818-0456d25a6677","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45192","PortSpecifier":{"PortValue":45192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45192","PortSpecifier":{"PortValue":45192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":572171012},"http":{"id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f56aae5f-ea05-4eb9-9d02-c2c5d6665e36","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45196","PortSpecifier":{"PortValue":45196}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1799390f-ebc8-448b-be39-02e384fe3cfd","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45196","PortSpecifier":{"PortValue":45196}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":603620072},"http":{"id":"1799390f-ebc8-448b-be39-02e384fe3cfd","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1799390f-ebc8-448b-be39-02e384fe3cfd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"90b6b597-137c-478b-8126-a976e61183dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"90b6b597-137c-478b-8126-a976e61183dc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"90b6b597-137c-478b-8126-a976e61183dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":611368696},"http":{"id":"90b6b597-137c-478b-8126-a976e61183dc","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"90b6b597-137c-478b-8126-a976e61183dc","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-qz1hhciRd3nnQANI_NXJIyULQ7JNs6kPDvrSPJnksw3LPheydO0WJQ2SzJ9z","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"90b6b597-137c-478b-8126-a976e61183dc"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"90b6b597-137c-478b-8126-a976e61183dc","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":611368696,"seconds":1781190622},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:40682","port":40682}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"90b6b597-137c-478b-8126-a976e61183dc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"d0adc58f-3eaf-40d8-a826-ffded8710274","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"90b6b597-137c-478b-8126-a976e61183dc","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"90b6b597-137c-478b-8126-a976e61183dc","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"216859e9-4365-4976-ad63-05968aba4725","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45198","PortSpecifier":{"PortValue":45198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"216859e9-4365-4976-ad63-05968aba4725","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"216859e9-4365-4976-ad63-05968aba4725","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45198","PortSpecifier":{"PortValue":45198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":715268389},"http":{"id":"216859e9-4365-4976-ad63-05968aba4725","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:56d5c059-1bb2-c01d-dedf-90dcb3a5a11b","preferred_username":"alice_lead","scope":"email profile","sid":"WtoAslXjKVBadUcnZqZgiKXj","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"216859e9-4365-4976-ad63-05968aba4725","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:56d5c059-1bb2-c01d-dedf-90dcb3a5a11b","preferred_username":"alice_lead","scope":"email profile","sid":"WtoAslXjKVBadUcnZqZgiKXj","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"216859e9-4365-4976-ad63-05968aba4725","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"216859e9-4365-4976-ad63-05968aba4725","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"216859e9-4365-4976-ad63-05968aba4725","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45208","PortSpecifier":{"PortValue":45208}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45208","PortSpecifier":{"PortValue":45208}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":750536878},"http":{"id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f3159cc-9d76-4346-bc7e-d0fcac9b274e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6b66ce37-9f31-4708-b537-21de2353e902","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6b66ce37-9f31-4708-b537-21de2353e902","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6b66ce37-9f31-4708-b537-21de2353e902","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":757527071},"http":{"id":"6b66ce37-9f31-4708-b537-21de2353e902","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6b66ce37-9f31-4708-b537-21de2353e902","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"6b66ce37-9f31-4708-b537-21de2353e902"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"6b66ce37-9f31-4708-b537-21de2353e902","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":757527071,"seconds":1781190622},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:40682","port":40682}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b66ce37-9f31-4708-b537-21de2353e902","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2e5203cc-fa44-4d2a-a9ff-c5aa23cff807","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6b66ce37-9f31-4708-b537-21de2353e902","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6b66ce37-9f31-4708-b537-21de2353e902","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45220","PortSpecifier":{"PortValue":45220}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45220","PortSpecifier":{"PortValue":45220}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":796395716},"http":{"id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","method":"GET","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5a902a7-cd2e-42ee-97ad-35fa9de975ca","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.41:40682","PortSpecifier":{"PortValue":40682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":803686120},"http":{"id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1RYNJfhNaqtCdkquH_BZS1rTwgNE9mBGlDP0dXnB4LXQNFMf7InhW4QVpPfaZ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtaDY2YmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.33~maas-default-gateway-openshift-default-687ff6996-h66bl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":803686120,"seconds":1781190622},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.41:40682","port":40682}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"2e5203cc-fa44-4d2a-a9ff-c5aa23cff807","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a2d07520-f606-4f60-9bb2-a50e2ca23f03","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45236","PortSpecifier":{"PortValue":45236}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"569ca6c3-a434-472e-92f8-07d78b227d9c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.11:45236","PortSpecifier":{"PortValue":45236}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.33:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781190622,"nanos":920104417},"http":{"id":"569ca6c3-a434-472e-92f8-07d78b227d9c","method":"POST","headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:76bd8fdd-60b6-a5ff-c263-9a82fd2c7571","preferred_username":"alice_lead","scope":"email profile","sid":"lRAGNsvLKLVziJg4OO1EGhEW","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781190922,"groups":["Engineering","Project-Alpha"],"iat":1781190622,"iss":"https://keycloak.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:76bd8fdd-60b6-a5ff-c263-9a82fd2c7571","preferred_username":"alice_lead","scope":"email profile","sid":"lRAGNsvLKLVziJg4OO1EGhEW","sub":"b6822ec5-f143-4df2-b471-a36ae2c0c0a9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.33:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.64ad4523-ae6b-421a-b3db-904e112cf5e6.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:10:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"569ca6c3-a434-472e-92f8-07d78b227d9c","authorized":true,"response":"OK"}