{"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T03:53:40Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T03:53:40Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:40Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-14T03:53:41Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59200","PortSpecifier":{"PortValue":59200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59200","PortSpecifier":{"PortValue":59200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409252,"nanos":525160965},"http":{"id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409552,"groups":["Engineering","Project-Alpha"],"iat":1781409252,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fba4583f-945c-dc8d-46e5-d9e6f20b1cfb","preferred_username":"alice_lead","scope":"profile email","sid":"LnH0iP4v-O0DUydZo7jx6hfK","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409552,"groups":["Engineering","Project-Alpha"],"iat":1781409252,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fba4583f-945c-dc8d-46e5-d9e6f20b1cfb","preferred_username":"alice_lead","scope":"profile email","sid":"LnH0iP4v-O0DUydZo7jx6hfK","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fd80316f-1324-4a1d-a33a-1c127dbedc5c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59212","PortSpecifier":{"PortValue":59212}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59212","PortSpecifier":{"PortValue":59212}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409252,"nanos":647225679},"http":{"id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6d5527e-0df7-420e-92ee-f480a384f6cb","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"96418e93-94b1-45e6-b106-506f3af303b4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59226","PortSpecifier":{"PortValue":59226}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"96418e93-94b1-45e6-b106-506f3af303b4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"96418e93-94b1-45e6-b106-506f3af303b4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:59226","PortSpecifier":{"PortValue":59226}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409252,"nanos":688833348},"http":{"id":"96418e93-94b1-45e6-b106-506f3af303b4","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.13","x-forwarded-host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"96418e93-94b1-45e6-b106-506f3af303b4"},"path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"96418e93-94b1-45e6-b106-506f3af303b4","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"96418e93-94b1-45e6-b106-506f3af303b4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"96418e93-94b1-45e6-b106-506f3af303b4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56052","PortSpecifier":{"PortValue":56052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56052","PortSpecifier":{"PortValue":56052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409252,"nanos":716838230},"http":{"id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.13","x-forwarded-host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922"},"path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T03:54:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a2e7060-2a6d-4ed4-8dd2-117e9072a922","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56062","PortSpecifier":{"PortValue":56062}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56062","PortSpecifier":{"PortValue":56062}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":90670147},"http":{"id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Site-Reliability"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:83b9eadf-266b-e31f-22e3-5170bbd93873","preferred_username":"bob_sre","scope":"profile email","sid":"XBH4pCDXR8KTBnSrou3b7K1y","sub":"6be5ba2f-8aae-4374-8bf4-2a11485158c9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Site-Reliability"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:83b9eadf-266b-e31f-22e3-5170bbd93873","preferred_username":"bob_sre","scope":"profile email","sid":"XBH4pCDXR8KTBnSrou3b7K1y","sub":"6be5ba2f-8aae-4374-8bf4-2a11485158c9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bba5ac00-2d5b-48d4-b934-ee543d1a56fa","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56066","PortSpecifier":{"PortValue":56066}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5dca5e08-0156-488a-8acf-b10df199b05a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56066","PortSpecifier":{"PortValue":56066}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":311440954},"http":{"id":"5dca5e08-0156-488a-8acf-b10df199b05a","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:96e5aeb7-3b0c-2c18-dc34-1a6fed76fa78","preferred_username":"alice_lead","scope":"profile email","sid":"mjTw-fceuNlnaerzc0Ruq36j","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:96e5aeb7-3b0c-2c18-dc34-1a6fed76fa78","preferred_username":"alice_lead","scope":"profile email","sid":"mjTw-fceuNlnaerzc0Ruq36j","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dca5e08-0156-488a-8acf-b10df199b05a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04988385-09f0-4224-980c-456535efca32","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56072","PortSpecifier":{"PortValue":56072}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"04988385-09f0-4224-980c-456535efca32","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"04988385-09f0-4224-980c-456535efca32","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56072","PortSpecifier":{"PortValue":56072}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":346605457},"http":{"id":"04988385-09f0-4224-980c-456535efca32","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"04988385-09f0-4224-980c-456535efca32","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd\"}"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"04988385-09f0-4224-980c-456535efca32","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"04988385-09f0-4224-980c-456535efca32","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04988385-09f0-4224-980c-456535efca32","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"04988385-09f0-4224-980c-456535efca32","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":364792689},"http":{"id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd\"}"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":364792689,"seconds":1781409253},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.31:56230","port":56230}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e88e5806-79b7-4334-8b29-b3422dc130b8","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5ef05aa5-a58d-43fb-8cd2-b6c0ddf7a386","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56078","PortSpecifier":{"PortValue":56078}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d3954780-1a17-4503-bf1e-c4752eab53f5","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56078","PortSpecifier":{"PortValue":56078}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":397498138},"http":{"id":"d3954780-1a17-4503-bf1e-c4752eab53f5","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-IW3IvA9p07Usoc8l_GXzIAKAB6eXFqQPkkSw86PQyVmuZMwbmPSEVukWLqMd\"}"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e88e5806-79b7-4334-8b29-b3422dc130b8","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d3954780-1a17-4503-bf1e-c4752eab53f5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d41dd860-d919-4462-931e-a082a094fc4e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56088","PortSpecifier":{"PortValue":56088}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d41dd860-d919-4462-931e-a082a094fc4e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d41dd860-d919-4462-931e-a082a094fc4e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56088","PortSpecifier":{"PortValue":56088}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":499425935},"http":{"id":"d41dd860-d919-4462-931e-a082a094fc4e","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc3e432f-61a5-a44c-9403-8844dc8860d3","preferred_username":"alice_lead","scope":"profile email","sid":"ku7uf0KR9YgJY6WoC22Kh-2U","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d41dd860-d919-4462-931e-a082a094fc4e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc3e432f-61a5-a44c-9403-8844dc8860d3","preferred_username":"alice_lead","scope":"profile email","sid":"ku7uf0KR9YgJY6WoC22Kh-2U","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d41dd860-d919-4462-931e-a082a094fc4e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d41dd860-d919-4462-931e-a082a094fc4e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d41dd860-d919-4462-931e-a082a094fc4e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56096","PortSpecifier":{"PortValue":56096}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","method":"DELETE","path":"/maas-api/v1/api-keys/8e777c0f-bb00-4a8d-a0b1-fed44e658f06","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56096","PortSpecifier":{"PortValue":56096}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409253,"nanos":530775352},"http":{"id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","method":"DELETE","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8e777c0f-bb00-4a8d-a0b1-fed44e658f06",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc3e432f-61a5-a44c-9403-8844dc8860d3","preferred_username":"alice_lead","scope":"profile email","sid":"ku7uf0KR9YgJY6WoC22Kh-2U","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409553,"groups":["Engineering","Project-Alpha"],"iat":1781409253,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:dc3e432f-61a5-a44c-9403-8844dc8860d3","preferred_username":"alice_lead","scope":"profile email","sid":"ku7uf0KR9YgJY6WoC22Kh-2U","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8e777c0f-bb00-4a8d-a0b1-fed44e658f06",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"449b18e1-6cbc-47ad-96fd-43e5303ca5bd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56098","PortSpecifier":{"PortValue":56098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56098","PortSpecifier":{"PortValue":56098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409256,"nanos":576553872},"http":{"id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-AejYZuWLtgXDYheu_bJPQLx8KdoJtqFXmYH1MgU5qP1PpFle0r9mJpZ6Kfr4"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-AejYZuWLtgXDYheu_bJPQLx8KdoJtqFXmYH1MgU5qP1PpFle0r9mJpZ6Kfr4\"}"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c058eac-9a7c-4f47-ab16-72a866fbc3e5","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56104","PortSpecifier":{"PortValue":56104}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"da2635a9-4690-4a95-af54-1e01db08fa37","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56104","PortSpecifier":{"PortValue":56104}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409256,"nanos":702351052},"http":{"id":"da2635a9-4690-4a95-af54-1e01db08fa37","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"da2635a9-4690-4a95-af54-1e01db08fa37","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56106","PortSpecifier":{"PortValue":56106}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56106","PortSpecifier":{"PortValue":56106}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409256,"nanos":860287593},"http":{"id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:95346329-5b34-541c-7ac4-4b642cd20a2d","preferred_username":"alice_lead","scope":"profile email","sid":"W34-WeFS3fblcbsKvyLOrpLz","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:95346329-5b34-541c-7ac4-4b642cd20a2d","preferred_username":"alice_lead","scope":"profile email","sid":"W34-WeFS3fblcbsKvyLOrpLz","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"07f35dd7-1da4-4aef-879a-4481bd85bc48","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56110","PortSpecifier":{"PortValue":56110}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56110","PortSpecifier":{"PortValue":56110}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409256,"nanos":893676636},"http":{"id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Site-Reliability"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fc6fe25f-76c8-5ac0-735b-2b1502ce5123","preferred_username":"bob_sre","scope":"profile email","sid":"jv6YA5jbmROJzQcEIo1bgkrh","sub":"6be5ba2f-8aae-4374-8bf4-2a11485158c9","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Site-Reliability"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fc6fe25f-76c8-5ac0-735b-2b1502ce5123","preferred_username":"bob_sre","scope":"profile email","sid":"jv6YA5jbmROJzQcEIo1bgkrh","sub":"6be5ba2f-8aae-4374-8bf4-2a11485158c9","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7b508bcc-f327-42c1-9b54-5d7b85e22d08","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56124","PortSpecifier":{"PortValue":56124}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5036ecd5-f904-4b48-b42b-3bda179001e4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56124","PortSpecifier":{"PortValue":56124}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409256,"nanos":989181429},"http":{"id":"5036ecd5-f904-4b48-b42b-3bda179001e4","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5036ecd5-f904-4b48-b42b-3bda179001e4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56136","PortSpecifier":{"PortValue":56136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","method":"DELETE","path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56136","PortSpecifier":{"PortValue":56136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":35122817},"http":{"id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","method":"DELETE","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3fe5e6e-5da9-43cc-a7b1-de186762a3b8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56148","PortSpecifier":{"PortValue":56148}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","method":"DELETE","path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56148","PortSpecifier":{"PortValue":56148}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":63076657},"http":{"id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","method":"DELETE","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409556,"groups":["Engineering","Project-Alpha"],"iat":1781409256,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:88e07f9d-e84f-886a-d25c-9303688010c0","preferred_username":"alice_lead","scope":"profile email","sid":"tXxc1W6VQ-msdlm9ZFPzQ2hn","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/53c2ab4f-2218-4515-b6a9-d99b4d7bb7f1",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9e38c8ed-0869-4fb2-9d8f-012633294a23","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56150","PortSpecifier":{"PortValue":56150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56150","PortSpecifier":{"PortValue":56150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":151031163},"http":{"id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:47c757a3-7bf1-b78e-8fc7-3b0f653bd5c6","preferred_username":"alice_lead","scope":"profile email","sid":"XF-jGShOYjxcb6_19xXfcXhe","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:47c757a3-7bf1-b78e-8fc7-3b0f653bd5c6","preferred_username":"alice_lead","scope":"profile email","sid":"XF-jGShOYjxcb6_19xXfcXhe","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"403d2c39-2d82-4e3e-bc4a-802b48a28a9d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56162","PortSpecifier":{"PortValue":56162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56162","PortSpecifier":{"PortValue":56162}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":184426689},"http":{"id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-14z1SJbipNkx2esJO_SzMXFGfEoSC0Do0bVdLj4QXk7ZSJu4e57jAqbUp3Z37"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-14z1SJbipNkx2esJO_SzMXFGfEoSC0Do0bVdLj4QXk7ZSJu4e57jAqbUp3Z37\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e373582-36d3-42ae-9438-7f97bb1c17ff","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"31d7a79f-2831-4808-8eb2-7480c150328d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":191467629},"http":{"id":"31d7a79f-2831-4808-8eb2-7480c150328d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-14z1SJbipNkx2esJO_SzMXFGfEoSC0Do0bVdLj4QXk7ZSJu4e57jAqbUp3Z37"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-14z1SJbipNkx2esJO_SzMXFGfEoSC0Do0bVdLj4QXk7ZSJu4e57jAqbUp3Z37\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-14z1SJbipNkx2esJO_SzMXFGfEoSC0Do0bVdLj4QXk7ZSJu4e57jAqbUp3Z37","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"31d7a79f-2831-4808-8eb2-7480c150328d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"31d7a79f-2831-4808-8eb2-7480c150328d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":191467629,"seconds":1781409257},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.31:56230","port":56230}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"925f18f3-b03c-4357-b854-c410587783ce","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"31d7a79f-2831-4808-8eb2-7480c150328d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56170","PortSpecifier":{"PortValue":56170}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56170","PortSpecifier":{"PortValue":56170}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":283545350},"http":{"id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:91619b72-4678-9e43-95c8-ff089880f3d8","preferred_username":"alice_lead","scope":"profile email","sid":"C4-Hi02cTjaESoS1_SJ5nZ5c","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:91619b72-4678-9e43-95c8-ff089880f3d8","preferred_username":"alice_lead","scope":"profile email","sid":"C4-Hi02cTjaESoS1_SJ5nZ5c","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0616cd4d-f1ca-49dc-b83d-7e1aab2f8898","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56176","PortSpecifier":{"PortValue":56176}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cd527edf-1815-453e-9fc5-9241ed4cc834","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56176","PortSpecifier":{"PortValue":56176}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":313411219},"http":{"id":"cd527edf-1815-453e-9fc5-9241ed4cc834","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cd527edf-1815-453e-9fc5-9241ed4cc834","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8ea7737-3512-4308-b417-c115a4b38602","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56188","PortSpecifier":{"PortValue":56188}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a8ea7737-3512-4308-b417-c115a4b38602","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a8ea7737-3512-4308-b417-c115a4b38602","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56188","PortSpecifier":{"PortValue":56188}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":344387761},"http":{"id":"a8ea7737-3512-4308-b417-c115a4b38602","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a8ea7737-3512-4308-b417-c115a4b38602","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a8ea7737-3512-4308-b417-c115a4b38602","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8ea7737-3512-4308-b417-c115a4b38602","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a8ea7737-3512-4308-b417-c115a4b38602","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"31cd5336-521b-4a45-a6c7-826a8301b616","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":351140619},"http":{"id":"31cd5336-521b-4a45-a6c7-826a8301b616","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1B8D0TNGTKEFQ1JJz_ih1qDNznBPnR4FoVnO75ptyzto19vEhlXlsCbwJF5oY","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"31cd5336-521b-4a45-a6c7-826a8301b616"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"31cd5336-521b-4a45-a6c7-826a8301b616","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":351140619,"seconds":1781409257},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.31:56230","port":56230}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ddf779e6-f794-47c3-96bd-b638d815352e","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"31cd5336-521b-4a45-a6c7-826a8301b616","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56200","PortSpecifier":{"PortValue":56200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3082c277-e2e8-4953-a3fb-813ff59cee49","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56200","PortSpecifier":{"PortValue":56200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":445440056},"http":{"id":"3082c277-e2e8-4953-a3fb-813ff59cee49","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bd6170c0-d29b-249e-9934-dea8e6591edd","preferred_username":"alice_lead","scope":"profile email","sid":"MjxjFDHBAcnxPaCEfcSFmUAS","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bd6170c0-d29b-249e-9934-dea8e6591edd","preferred_username":"alice_lead","scope":"profile email","sid":"MjxjFDHBAcnxPaCEfcSFmUAS","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3082c277-e2e8-4953-a3fb-813ff59cee49","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81e3c177-368d-4afd-a297-210072d0e18d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56212","PortSpecifier":{"PortValue":56212}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"81e3c177-368d-4afd-a297-210072d0e18d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81e3c177-368d-4afd-a297-210072d0e18d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56212","PortSpecifier":{"PortValue":56212}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":476568122},"http":{"id":"81e3c177-368d-4afd-a297-210072d0e18d","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"81e3c177-368d-4afd-a297-210072d0e18d","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"81e3c177-368d-4afd-a297-210072d0e18d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81e3c177-368d-4afd-a297-210072d0e18d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81e3c177-368d-4afd-a297-210072d0e18d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"81a39072-d11b-4967-ae19-6ee292f2537e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":483500266},"http":{"id":"81a39072-d11b-4967-ae19-6ee292f2537e","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"81a39072-d11b-4967-ae19-6ee292f2537e"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"81a39072-d11b-4967-ae19-6ee292f2537e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":483500266,"seconds":1781409257},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.31:56230","port":56230}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"864e20cc-938d-4c8b-bb5d-b585debb4961","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"81a39072-d11b-4967-ae19-6ee292f2537e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56214","PortSpecifier":{"PortValue":56214}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56214","PortSpecifier":{"PortValue":56214}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":515030336},"http":{"id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","method":"GET","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59eddcc6-bb96-4ee8-b906-4e1c4018d0da","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.31:56230","PortSpecifier":{"PortValue":56230}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":521645358},"http":{"id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-S9FRqWrjqnCSVaTH_iRvnDCX9EGhb18ujJ2ltK5guAOJ84v0GopFz1WievKf","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.31","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbHdwZ2QKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.31~maas-default-gateway-openshift-default-687ff6996-lwpgd.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.31","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"9085e7de-73f5-4c06-986c-3365ab1cdd16"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":521645358,"seconds":1781409257},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.31:56230","port":56230}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"864e20cc-938d-4c8b-bb5d-b585debb4961","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9085e7de-73f5-4c06-986c-3365ab1cdd16","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56216","PortSpecifier":{"PortValue":56216}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:56216","PortSpecifier":{"PortValue":56216}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.31:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781409257,"nanos":614571601},"http":{"id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","method":"POST","headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7abc8a0-696d-7199-83b4-1d76bfd28cfc","preferred_username":"alice_lead","scope":"profile email","sid":"XTZuBrFbsM2N-nlPCAZoZuSE","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781409557,"groups":["Engineering","Project-Alpha"],"iat":1781409257,"iss":"https://keycloak.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7abc8a0-696d-7199-83b4-1d76bfd28cfc","preferred_username":"alice_lead","scope":"profile email","sid":"XTZuBrFbsM2N-nlPCAZoZuSE","sub":"582a1cab-1895-4e65-aea5-1c78141ef8c7","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.31:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.495bd143-025f-4c0b-96c0-520b38786006.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"info","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T03:54:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0bf2fc5a-7c14-41d1-b05b-d5dcece2046e","authorized":true,"response":"OK"}