{"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-12T17:10:48Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T17:10:49Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"error","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-12T17:10:49Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49732","PortSpecifier":{"PortValue":49732}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49732","PortSpecifier":{"PortValue":49732}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284276,"nanos":449497398},"http":{"id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284576,"groups":["Engineering","Project-Alpha"],"iat":1781284276,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:89e04370-304b-edf4-a5d0-3c65e99ccfdb","preferred_username":"alice_lead","scope":"email profile","sid":"6oCqV01Xb20ky3eMYY2mnE4j","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284576,"groups":["Engineering","Project-Alpha"],"iat":1781284276,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:89e04370-304b-edf4-a5d0-3c65e99ccfdb","preferred_username":"alice_lead","scope":"email profile","sid":"6oCqV01Xb20ky3eMYY2mnE4j","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a7f3ed17-28a7-41c3-95bd-91d220fd1cb2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49736","PortSpecifier":{"PortValue":49736}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49736","PortSpecifier":{"PortValue":49736}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284276,"nanos":545682168},"http":{"id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdf34de-8f47-4e10-bb1f-ad94b453cd83","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"198edeec-6992-4fe4-868b-ac8301f7a484","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49750","PortSpecifier":{"PortValue":49750}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"198edeec-6992-4fe4-868b-ac8301f7a484","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"198edeec-6992-4fe4-868b-ac8301f7a484","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49750","PortSpecifier":{"PortValue":49750}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284276,"nanos":582465060},"http":{"id":"198edeec-6992-4fe4-868b-ac8301f7a484","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.10","x-forwarded-host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"198edeec-6992-4fe4-868b-ac8301f7a484"},"path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"198edeec-6992-4fe4-868b-ac8301f7a484","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"198edeec-6992-4fe4-868b-ac8301f7a484","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"198edeec-6992-4fe4-868b-ac8301f7a484","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49764","PortSpecifier":{"PortValue":49764}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49764","PortSpecifier":{"PortValue":49764}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284276,"nanos":607434490},"http":{"id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.10","x-forwarded-host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8"},"path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64f5e3e0-74c1-496f-9d94-cf601b4c60b8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49780","PortSpecifier":{"PortValue":49780}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49780","PortSpecifier":{"PortValue":49780}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284276,"nanos":930612238},"http":{"id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284576,"groups":["Site-Reliability"],"iat":1781284276,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:16a08220-5a23-deb7-ebe3-c8ca61cf0572","preferred_username":"bob_sre","scope":"email profile","sid":"Q9I4OP_97gW5Vi3PLYD_nrRl","sub":"e0f4f3ef-a861-4910-92bd-eff8189e37fd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284576,"groups":["Site-Reliability"],"iat":1781284276,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:16a08220-5a23-deb7-ebe3-c8ca61cf0572","preferred_username":"bob_sre","scope":"email profile","sid":"Q9I4OP_97gW5Vi3PLYD_nrRl","sub":"e0f4f3ef-a861-4910-92bd-eff8189e37fd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdfb128-211f-4d5f-91ae-9d46d27baf5c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49796","PortSpecifier":{"PortValue":49796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49796","PortSpecifier":{"PortValue":49796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":136437534},"http":{"id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:075c9cfe-c742-d19d-ce97-bf5e7810229c","preferred_username":"alice_lead","scope":"email profile","sid":"om0sIUB5PpfmcNzTGl4jOshI","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:075c9cfe-c742-d19d-ce97-bf5e7810229c","preferred_username":"alice_lead","scope":"email profile","sid":"om0sIUB5PpfmcNzTGl4jOshI","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e38e8b6f-3e04-4024-9d34-aac5aa9ba594","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49804","PortSpecifier":{"PortValue":49804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e573be42-d429-4267-8e82-69b791b4d1f0","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49804","PortSpecifier":{"PortValue":49804}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":166483712},"http":{"id":"e573be42-d429-4267-8e82-69b791b4d1f0","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr\"}"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e573be42-d429-4267-8e82-69b791b4d1f0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":184526868},"http":{"id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr\"}"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.39","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.39","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":184526868,"seconds":1781284277},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.39:60884","port":60884}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f771d10b-d0f5-450f-b69a-90649cf3525d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0a3b8dd-67d2-4a26-8fba-4d1d0ee14712","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49818","PortSpecifier":{"PortValue":49818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49818","PortSpecifier":{"PortValue":49818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":214067199},"http":{"id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-zfbiwv4gCdH5OQis_17laHeUKg6DQCHJ1oWG4jd3fZ30ST4AABHlyUgOYtr\"}"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f771d10b-d0f5-450f-b69a-90649cf3525d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82a07268-d2e2-41ed-aa0c-65dc9573b7a1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49828","PortSpecifier":{"PortValue":49828}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"22dc0b17-2311-4129-b2c4-fbe98221a425","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49828","PortSpecifier":{"PortValue":49828}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":307501056},"http":{"id":"22dc0b17-2311-4129-b2c4-fbe98221a425","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ac291c28-f3f1-acc2-136e-d1e5ae23588b","preferred_username":"alice_lead","scope":"email profile","sid":"EyoQbPL_bghc-7ldZgCLu90B","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ac291c28-f3f1-acc2-136e-d1e5ae23588b","preferred_username":"alice_lead","scope":"email profile","sid":"EyoQbPL_bghc-7ldZgCLu90B","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22dc0b17-2311-4129-b2c4-fbe98221a425","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"05460f75-7832-40dd-87c4-10db71149e03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49830","PortSpecifier":{"PortValue":49830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"05460f75-7832-40dd-87c4-10db71149e03","method":"DELETE","path":"/maas-api/v1/api-keys/4ce444f4-a9f9-4d53-adb2-a9d9168c52c6","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"05460f75-7832-40dd-87c4-10db71149e03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:49830","PortSpecifier":{"PortValue":49830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284277,"nanos":337683347},"http":{"id":"05460f75-7832-40dd-87c4-10db71149e03","method":"DELETE","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4ce444f4-a9f9-4d53-adb2-a9d9168c52c6",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ac291c28-f3f1-acc2-136e-d1e5ae23588b","preferred_username":"alice_lead","scope":"email profile","sid":"EyoQbPL_bghc-7ldZgCLu90B","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"05460f75-7832-40dd-87c4-10db71149e03","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284577,"groups":["Engineering","Project-Alpha"],"iat":1781284277,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ac291c28-f3f1-acc2-136e-d1e5ae23588b","preferred_username":"alice_lead","scope":"email profile","sid":"EyoQbPL_bghc-7ldZgCLu90B","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/4ce444f4-a9f9-4d53-adb2-a9d9168c52c6",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"05460f75-7832-40dd-87c4-10db71149e03","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"05460f75-7832-40dd-87c4-10db71149e03","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"05460f75-7832-40dd-87c4-10db71149e03","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35568","PortSpecifier":{"PortValue":35568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35568","PortSpecifier":{"PortValue":35568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":368909626},"http":{"id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-qj4ripOKRcPOGkRC_WuXJTi5SnGjRIuni8nS6o2CzRtKLl2u1Oq4lCDy29Tc"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-qj4ripOKRcPOGkRC_WuXJTi5SnGjRIuni8nS6o2CzRtKLl2u1Oq4lCDy29Tc\"}"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3acbff68-dab1-4bef-ac32-23a8087ac13e","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35572","PortSpecifier":{"PortValue":35572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3709324b-7bb8-44f8-948d-ed9767dff205","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35572","PortSpecifier":{"PortValue":35572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":487634785},"http":{"id":"3709324b-7bb8-44f8-948d-ed9767dff205","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3709324b-7bb8-44f8-948d-ed9767dff205","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35576","PortSpecifier":{"PortValue":35576}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9392595c-3d1a-4fa4-ada7-297b29826a40","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35576","PortSpecifier":{"PortValue":35576}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":641617366},"http":{"id":"9392595c-3d1a-4fa4-ada7-297b29826a40","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:eaf01d55-2d90-1a90-2efb-aa88b1ae6620","preferred_username":"alice_lead","scope":"email profile","sid":"LDMpBRtjH4h0UndxuMjmbUGG","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:eaf01d55-2d90-1a90-2efb-aa88b1ae6620","preferred_username":"alice_lead","scope":"email profile","sid":"LDMpBRtjH4h0UndxuMjmbUGG","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9392595c-3d1a-4fa4-ada7-297b29826a40","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35584","PortSpecifier":{"PortValue":35584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35584","PortSpecifier":{"PortValue":35584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":669349921},"http":{"id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Site-Reliability"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0fe27c3b-d0e4-4da6-c98e-c6c03e0f0e91","preferred_username":"bob_sre","scope":"email profile","sid":"AgYD-3yo0SqR_OdKjrgFLXYk","sub":"e0f4f3ef-a861-4910-92bd-eff8189e37fd","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Site-Reliability"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0fe27c3b-d0e4-4da6-c98e-c6c03e0f0e91","preferred_username":"bob_sre","scope":"email profile","sid":"AgYD-3yo0SqR_OdKjrgFLXYk","sub":"e0f4f3ef-a861-4910-92bd-eff8189e37fd","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8bfe3054-9cb6-4eda-bec6-9b3c8ce0373b","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35600","PortSpecifier":{"PortValue":35600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"85549a91-3bbe-4598-97ea-829efd438c7c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35600","PortSpecifier":{"PortValue":35600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":753592741},"http":{"id":"85549a91-3bbe-4598-97ea-829efd438c7c","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85549a91-3bbe-4598-97ea-829efd438c7c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35608","PortSpecifier":{"PortValue":35608}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","method":"DELETE","path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35608","PortSpecifier":{"PortValue":35608}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":781554208},"http":{"id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","method":"DELETE","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bbb596ac-6aa0-480b-ac80-8f9a24978ee7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35616","PortSpecifier":{"PortValue":35616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","method":"DELETE","path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35616","PortSpecifier":{"PortValue":35616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":808383399},"http":{"id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","method":"DELETE","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:21ebf36b-06f0-6574-9bb8-bcbf33891776","preferred_username":"alice_lead","scope":"email profile","sid":"kPspx6Zvo-H1ucMlqWN07e5m","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/fd45d3c2-4af1-48ba-b747-1e7fb824b1b5",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5e1a145a-f36a-4ea9-aae2-37e3666d976b","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35622","PortSpecifier":{"PortValue":35622}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35622","PortSpecifier":{"PortValue":35622}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":890947104},"http":{"id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c71c3bae-07b2-cfa3-9172-1f9a3182c581","preferred_username":"alice_lead","scope":"email profile","sid":"i1hMcU3gd5P6BCcqd1YVi3lM","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c71c3bae-07b2-cfa3-9172-1f9a3182c581","preferred_username":"alice_lead","scope":"email profile","sid":"i1hMcU3gd5P6BCcqd1YVi3lM","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0fdfd8d7-5430-44d5-990e-43b5c0655dd4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35638","PortSpecifier":{"PortValue":35638}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35638","PortSpecifier":{"PortValue":35638}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":921554927},"http":{"id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1e5aHUUZauIXVOWbz_sbBQeCZx3jOGcoF6D8eqtctTNfb8Kwg9W6t7CQ51jix"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1e5aHUUZauIXVOWbz_sbBQeCZx3jOGcoF6D8eqtctTNfb8Kwg9W6t7CQ51jix\"}"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a64a7016-43d2-4d4c-b56a-29ac91a73a6e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b90998a7-5c49-48ed-8137-ca340f01d12d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284280,"nanos":929020143},"http":{"id":"b90998a7-5c49-48ed-8137-ca340f01d12d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1e5aHUUZauIXVOWbz_sbBQeCZx3jOGcoF6D8eqtctTNfb8Kwg9W6t7CQ51jix"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1e5aHUUZauIXVOWbz_sbBQeCZx3jOGcoF6D8eqtctTNfb8Kwg9W6t7CQ51jix\"}"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1e5aHUUZauIXVOWbz_sbBQeCZx3jOGcoF6D8eqtctTNfb8Kwg9W6t7CQ51jix","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.39","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.39","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"b90998a7-5c49-48ed-8137-ca340f01d12d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"b90998a7-5c49-48ed-8137-ca340f01d12d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":929020143,"seconds":1781284280},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.39:60884","port":60884}}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"5320fedc-8467-43de-be14-81d91f0448eb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b90998a7-5c49-48ed-8137-ca340f01d12d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35646","PortSpecifier":{"PortValue":35646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"408567e3-b578-49f6-9874-1d9e9ebaee09","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35646","PortSpecifier":{"PortValue":35646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":18426436},"http":{"id":"408567e3-b578-49f6-9874-1d9e9ebaee09","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bcb67161-24f2-4572-cc0f-1e1c478786c0","preferred_username":"alice_lead","scope":"email profile","sid":"tcdsTo1WLf82K57zH5mpMYD1","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284580,"groups":["Engineering","Project-Alpha"],"iat":1781284280,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bcb67161-24f2-4572-cc0f-1e1c478786c0","preferred_username":"alice_lead","scope":"email profile","sid":"tcdsTo1WLf82K57zH5mpMYD1","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"408567e3-b578-49f6-9874-1d9e9ebaee09","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35656","PortSpecifier":{"PortValue":35656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35656","PortSpecifier":{"PortValue":35656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":45457519},"http":{"id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b7a9de10-dac0-4bda-aab0-5a7b70630663","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35664","PortSpecifier":{"PortValue":35664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35664","PortSpecifier":{"PortValue":35664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":71593958},"http":{"id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3654bb5c-ab83-443e-b323-cbe3f64cc7c5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":79136130},"http":{"id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1IezmX5nhFXeANPLW_McSXoZndVqI26r5652TGLrQTCn3YolDWmu3rAleHUQJ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.39","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.39","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"97b3838d-6624-4468-ae5c-fb2c12a1988d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":79136130,"seconds":1781284281},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.39:60884","port":60884}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"82aefc79-383a-4b8e-bdec-12c42c34f0fb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97b3838d-6624-4468-ae5c-fb2c12a1988d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35674","PortSpecifier":{"PortValue":35674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35674","PortSpecifier":{"PortValue":35674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":166729115},"http":{"id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284581,"groups":["Engineering","Project-Alpha"],"iat":1781284281,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5757a60c-9aca-d949-1d60-bf8b6e0034cf","preferred_username":"alice_lead","scope":"email profile","sid":"U69iZhbOpwH5NvSPKJUVAR4q","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284581,"groups":["Engineering","Project-Alpha"],"iat":1781284281,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5757a60c-9aca-d949-1d60-bf8b6e0034cf","preferred_username":"alice_lead","scope":"email profile","sid":"U69iZhbOpwH5NvSPKJUVAR4q","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6dd18be5-8497-4f05-83fc-d82abd6d4e26","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35678","PortSpecifier":{"PortValue":35678}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35678","PortSpecifier":{"PortValue":35678}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":196852094},"http":{"id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6d5e748d-f944-4671-a7b0-ac3e898f96e8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2331771-d1df-4971-83a8-111390334dd7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2331771-d1df-4971-83a8-111390334dd7","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2331771-d1df-4971-83a8-111390334dd7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":204113394},"http":{"id":"c2331771-d1df-4971-83a8-111390334dd7","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c2331771-d1df-4971-83a8-111390334dd7","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.39","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.39","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"c2331771-d1df-4971-83a8-111390334dd7"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"c2331771-d1df-4971-83a8-111390334dd7","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":204113394,"seconds":1781284281},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.39:60884","port":60884}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2331771-d1df-4971-83a8-111390334dd7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9128f772-1224-4047-adbb-ae4d5b3248c7","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2331771-d1df-4971-83a8-111390334dd7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2331771-d1df-4971-83a8-111390334dd7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35688","PortSpecifier":{"PortValue":35688}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a89cf531-a7bb-4c39-af52-d285c3a80163","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35688","PortSpecifier":{"PortValue":35688}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":232888557},"http":{"id":"a89cf531-a7bb-4c39-af52-d285c3a80163","method":"GET","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a89cf531-a7bb-4c39-af52-d285c3a80163","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8664b6ba-89a2-47f6-b001-681ff73a154c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:60884","PortSpecifier":{"PortValue":60884}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":240049323},"http":{"id":"8664b6ba-89a2-47f6-b001-681ff73a154c","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1YCGRckHKFKPOtwJm_jxloDyOlXmQWCrO8kBoGtdvC1VJlygHghZb6HVk7yMl","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.39","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOTc5OXgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.44~maas-default-gateway-openshift-default-687ff6996-9799x.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.39","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"8664b6ba-89a2-47f6-b001-681ff73a154c"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"8664b6ba-89a2-47f6-b001-681ff73a154c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":240049323,"seconds":1781284281},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.39:60884","port":60884}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9128f772-1224-4047-adbb-ae4d5b3248c7","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8664b6ba-89a2-47f6-b001-681ff73a154c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35696","PortSpecifier":{"PortValue":35696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d08cef37-6fb6-4d63-a122-20381ae295b1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:35696","PortSpecifier":{"PortValue":35696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781284281,"nanos":330717103},"http":{"id":"d08cef37-6fb6-4d63-a122-20381ae295b1","method":"POST","headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284581,"groups":["Engineering","Project-Alpha"],"iat":1781284281,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cb33b04e-5a5d-fe01-4e28-e0fa33c618d3","preferred_username":"alice_lead","scope":"email profile","sid":"Fh6YaJiIka_VMKzGa5Eay_xY","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781284581,"groups":["Engineering","Project-Alpha"],"iat":1781284281,"iss":"https://keycloak.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cb33b04e-5a5d-fe01-4e28-e0fa33c618d3","preferred_username":"alice_lead","scope":"email profile","sid":"Fh6YaJiIka_VMKzGa5Eay_xY","sub":"6377ca4a-40c5-42bf-aa8a-0b9bd3337050","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.9083e241-89eb-4c15-b9de-19a0126fa28e.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T17:11:21Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d08cef37-6fb6-4d63-a122-20381ae295b1","authorized":true,"response":"OK"}