{"level":"info","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:50:21Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:50:21Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:21Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:21Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"error","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"error","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"error","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:50:22Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-12T19:50:22Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57250","PortSpecifier":{"PortValue":57250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57250","PortSpecifier":{"PortValue":57250}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293848,"nanos":765837580},"http":{"id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294148,"groups":["Engineering","Project-Alpha"],"iat":1781293848,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6ccc2484-b185-eff3-f773-3fdc02e756ed","preferred_username":"alice_lead","scope":"profile email","sid":"Lta2jDMfzl5cSEEU_KKzE1GV","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294148,"groups":["Engineering","Project-Alpha"],"iat":1781293848,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6ccc2484-b185-eff3-f773-3fdc02e756ed","preferred_username":"alice_lead","scope":"profile email","sid":"Lta2jDMfzl5cSEEU_KKzE1GV","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"52cf615d-2d19-429c-b9b0-a4b04b7769bf","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57260","PortSpecifier":{"PortValue":57260}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57260","PortSpecifier":{"PortValue":57260}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293848,"nanos":903697256},"http":{"id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5f0f2a89-47e8-446b-a3ba-a8aed79e4a93","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e517e56c-180d-45ab-9605-25461c26df87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57272","PortSpecifier":{"PortValue":57272}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e517e56c-180d-45ab-9605-25461c26df87","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e517e56c-180d-45ab-9605-25461c26df87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57272","PortSpecifier":{"PortValue":57272}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293848,"nanos":945158159},"http":{"id":"e517e56c-180d-45ab-9605-25461c26df87","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.12","x-forwarded-host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"e517e56c-180d-45ab-9605-25461c26df87"},"path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e517e56c-180d-45ab-9605-25461c26df87","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e517e56c-180d-45ab-9605-25461c26df87","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e517e56c-180d-45ab-9605-25461c26df87","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57276","PortSpecifier":{"PortValue":57276}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57276","PortSpecifier":{"PortValue":57276}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293848,"nanos":969481729},"http":{"id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.12","x-forwarded-host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"32edeecc-3062-4d32-8b41-ebf373d41f7d"},"path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T19:50:48Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"32edeecc-3062-4d32-8b41-ebf373d41f7d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57290","PortSpecifier":{"PortValue":57290}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57290","PortSpecifier":{"PortValue":57290}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":324491128},"http":{"id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Site-Reliability"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:507143dd-4860-bc67-eebd-37355b96bd39","preferred_username":"bob_sre","scope":"profile email","sid":"SoSHAABwHwG-ICigtKCmZYXD","sub":"4706d0ff-d9ff-4566-93f3-0ed3e6ca8a3d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Site-Reliability"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:507143dd-4860-bc67-eebd-37355b96bd39","preferred_username":"bob_sre","scope":"profile email","sid":"SoSHAABwHwG-ICigtKCmZYXD","sub":"4706d0ff-d9ff-4566-93f3-0ed3e6ca8a3d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"000c99d3-7163-4f9b-8d74-1c3a131a6fbd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57298","PortSpecifier":{"PortValue":57298}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"82aa4350-6917-4bc7-9f3b-56519695287c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57298","PortSpecifier":{"PortValue":57298}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":562726746},"http":{"id":"82aa4350-6917-4bc7-9f3b-56519695287c","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3fe845fc-4363-85ca-b15d-a7f0b22ac758","preferred_username":"alice_lead","scope":"profile email","sid":"hYZGnZtdOs1rar0V93EvmgLp","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3fe845fc-4363-85ca-b15d-a7f0b22ac758","preferred_username":"alice_lead","scope":"profile email","sid":"hYZGnZtdOs1rar0V93EvmgLp","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82aa4350-6917-4bc7-9f3b-56519695287c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57302","PortSpecifier":{"PortValue":57302}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57302","PortSpecifier":{"PortValue":57302}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":596230236},"http":{"id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco\"}"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3654ca2a-b884-4a58-8b2b-87d4192a0c41","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"726ca3ec-cc7a-48a3-8621-c235982655ff","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":615016030},"http":{"id":"726ca3ec-cc7a-48a3-8621-c235982655ff","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco\"}"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"726ca3ec-cc7a-48a3-8621-c235982655ff"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"726ca3ec-cc7a-48a3-8621-c235982655ff","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":615016030,"seconds":1781293849},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.55:46496","port":46496}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7f68e3c3-7892-47ec-a377-c30e51b994c6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"726ca3ec-cc7a-48a3-8621-c235982655ff","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57306","PortSpecifier":{"PortValue":57306}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57306","PortSpecifier":{"PortValue":57306}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":646343500},"http":{"id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1AV3u8O5mVOy8jLgI_efo8RxSiX7LFs3wpubdpw56ylom27oN07Sv2cKPytco\"}"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"7f68e3c3-7892-47ec-a377-c30e51b994c6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2489899a-ea86-4ba6-a37c-0dfd29b86731","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57314","PortSpecifier":{"PortValue":57314}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a5008070-e67e-4b53-a29e-3c751b2f4941","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57314","PortSpecifier":{"PortValue":57314}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":748023255},"http":{"id":"a5008070-e67e-4b53-a29e-3c751b2f4941","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:753bbbae-688d-96e4-7dd2-6383f1fcf950","preferred_username":"alice_lead","scope":"profile email","sid":"QSdIPH5lprzYgn3j3XTScWCc","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:753bbbae-688d-96e4-7dd2-6383f1fcf950","preferred_username":"alice_lead","scope":"profile email","sid":"QSdIPH5lprzYgn3j3XTScWCc","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a5008070-e67e-4b53-a29e-3c751b2f4941","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57318","PortSpecifier":{"PortValue":57318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"70548a41-f61d-4367-8b6a-37c821e8dc77","method":"DELETE","path":"/maas-api/v1/api-keys/89838f2f-6aac-404c-b7a5-9a4da557324a","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57318","PortSpecifier":{"PortValue":57318}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293849,"nanos":782629353},"http":{"id":"70548a41-f61d-4367-8b6a-37c821e8dc77","method":"DELETE","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/89838f2f-6aac-404c-b7a5-9a4da557324a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:753bbbae-688d-96e4-7dd2-6383f1fcf950","preferred_username":"alice_lead","scope":"profile email","sid":"QSdIPH5lprzYgn3j3XTScWCc","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294149,"groups":["Engineering","Project-Alpha"],"iat":1781293849,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:753bbbae-688d-96e4-7dd2-6383f1fcf950","preferred_username":"alice_lead","scope":"profile email","sid":"QSdIPH5lprzYgn3j3XTScWCc","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/89838f2f-6aac-404c-b7a5-9a4da557324a",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:49Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70548a41-f61d-4367-8b6a-37c821e8dc77","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57328","PortSpecifier":{"PortValue":57328}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"158cd4b9-732f-43f5-8120-fcdec8f00105","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57328","PortSpecifier":{"PortValue":57328}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293852,"nanos":815892406},"http":{"id":"158cd4b9-732f-43f5-8120-fcdec8f00105","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-c3g79spiuReDp3wt_5UWRFM4X8qvMLX6sY0V6e9CZwDkFnKshnaWSKCnA8NX"}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-c3g79spiuReDp3wt_5UWRFM4X8qvMLX6sY0V6e9CZwDkFnKshnaWSKCnA8NX\"}"}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"158cd4b9-732f-43f5-8120-fcdec8f00105","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57342","PortSpecifier":{"PortValue":57342}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57342","PortSpecifier":{"PortValue":57342}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293852,"nanos":946022903},"http":{"id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T19:50:52Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0b37d4e2-57e9-4648-a395-cee6f550c49d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57352","PortSpecifier":{"PortValue":57352}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57352","PortSpecifier":{"PortValue":57352}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":109947396},"http":{"id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d022889-7750-3fd4-8bf7-8307bb21477e","preferred_username":"alice_lead","scope":"profile email","sid":"ZSNN92gF0dHVT0Y1bVoIDu8L","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d022889-7750-3fd4-8bf7-8307bb21477e","preferred_username":"alice_lead","scope":"profile email","sid":"ZSNN92gF0dHVT0Y1bVoIDu8L","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c4967efb-e615-4849-98c0-36cd5e22a7d7","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57362","PortSpecifier":{"PortValue":57362}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"75b04750-bb05-495d-858b-6d4db041a4a6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57362","PortSpecifier":{"PortValue":57362}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":141258062},"http":{"id":"75b04750-bb05-495d-858b-6d4db041a4a6","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Site-Reliability"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42c6c20a-851f-87af-0336-3622f18c413c","preferred_username":"bob_sre","scope":"profile email","sid":"XN3O8q0lX_ryVPQ17rode8GW","sub":"4706d0ff-d9ff-4566-93f3-0ed3e6ca8a3d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Site-Reliability"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42c6c20a-851f-87af-0336-3622f18c413c","preferred_username":"bob_sre","scope":"profile email","sid":"XN3O8q0lX_ryVPQ17rode8GW","sub":"4706d0ff-d9ff-4566-93f3-0ed3e6ca8a3d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"75b04750-bb05-495d-858b-6d4db041a4a6","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57376","PortSpecifier":{"PortValue":57376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57376","PortSpecifier":{"PortValue":57376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":247534713},"http":{"id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e7ec6fe-c78a-43da-802e-dc21575380eb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57390","PortSpecifier":{"PortValue":57390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","method":"DELETE","path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57390","PortSpecifier":{"PortValue":57390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":281180363},"http":{"id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","method":"DELETE","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"22e9b4a4-cb2b-4e27-9df1-51f7ac3749da","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57394","PortSpecifier":{"PortValue":57394}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","method":"DELETE","path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57394","PortSpecifier":{"PortValue":57394}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":309346986},"http":{"id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","method":"DELETE","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:693064e4-6246-9817-8a66-5e5dea8b82d3","preferred_username":"alice_lead","scope":"profile email","sid":"I-9AxOMEmrh23I7micsdds3r","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/bf6b8ad1-304d-48e6-bc45-130553280e1c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"344e22cf-274f-43c1-b922-9a6fa001a2dc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57398","PortSpecifier":{"PortValue":57398}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57398","PortSpecifier":{"PortValue":57398}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":409624994},"http":{"id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:400755ff-5544-1d72-c475-aef3614b0f8b","preferred_username":"alice_lead","scope":"profile email","sid":"rEudqhhMsWZZOfobsIPji3Af","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:400755ff-5544-1d72-c475-aef3614b0f8b","preferred_username":"alice_lead","scope":"profile email","sid":"rEudqhhMsWZZOfobsIPji3Af","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"56ddcac7-4169-410c-bbec-76d4b42b0aab","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57410","PortSpecifier":{"PortValue":57410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57410","PortSpecifier":{"PortValue":57410}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":437445617},"http":{"id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-SxiW9WvwmSH2zso6_7gXgaHxJmLalxa3Fj9s4rqd18Kr4KHJJbQyR0jnKkco"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-SxiW9WvwmSH2zso6_7gXgaHxJmLalxa3Fj9s4rqd18Kr4KHJJbQyR0jnKkco\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ef70e879-a220-4fb5-91ee-f21f8ba83d08","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":444403268},"http":{"id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-SxiW9WvwmSH2zso6_7gXgaHxJmLalxa3Fj9s4rqd18Kr4KHJJbQyR0jnKkco"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-SxiW9WvwmSH2zso6_7gXgaHxJmLalxa3Fj9s4rqd18Kr4KHJJbQyR0jnKkco\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-SxiW9WvwmSH2zso6_7gXgaHxJmLalxa3Fj9s4rqd18Kr4KHJJbQyR0jnKkco","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":444403268,"seconds":1781293853},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.55:46496","port":46496}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f5f4021a-d047-4d98-9b82-4f4f96140029","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5aa099b8-f50e-4dce-abc0-ea46c9cbbfe8","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57424","PortSpecifier":{"PortValue":57424}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57424","PortSpecifier":{"PortValue":57424}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":536537950},"http":{"id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:925c9f47-f935-527b-2918-e24a7cd79f81","preferred_username":"alice_lead","scope":"profile email","sid":"CpBb-DxvUZyT2nE9gREdeM6m","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:925c9f47-f935-527b-2918-e24a7cd79f81","preferred_username":"alice_lead","scope":"profile email","sid":"CpBb-DxvUZyT2nE9gREdeM6m","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"25a70e63-1e0f-46de-86dd-5f8e080e8729","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57428","PortSpecifier":{"PortValue":57428}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a3f081da-c492-4e2f-83c5-5cd635658aad","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57428","PortSpecifier":{"PortValue":57428}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":567536564},"http":{"id":"a3f081da-c492-4e2f-83c5-5cd635658aad","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a3f081da-c492-4e2f-83c5-5cd635658aad","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57430","PortSpecifier":{"PortValue":57430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"97ff98a1-8782-43e4-a5ab-957b1486968a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57430","PortSpecifier":{"PortValue":57430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":594486392},"http":{"id":"97ff98a1-8782-43e4-a5ab-957b1486968a","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"97ff98a1-8782-43e4-a5ab-957b1486968a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":601472943},"http":{"id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1Ui6hSfav55IuxjRF_LUHV705VB5kgrETeJqiApEo6XApN54R8hstXYn8QCbP","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":601472943,"seconds":1781293853},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.55:46496","port":46496}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c53941e3-8f0a-4afc-8d8f-cdb0e7864124","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b83e5f55-ecf7-41ab-9464-967ec5dee13e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57432","PortSpecifier":{"PortValue":57432}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57432","PortSpecifier":{"PortValue":57432}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":699747905},"http":{"id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5dd097e0-d75f-00c5-4852-d81d63fb468d","preferred_username":"alice_lead","scope":"profile email","sid":"eNv6R8XxPNOFfGCikMA2SXs8","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5dd097e0-d75f-00c5-4852-d81d63fb468d","preferred_username":"alice_lead","scope":"profile email","sid":"eNv6R8XxPNOFfGCikMA2SXs8","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fd79167-3d1d-4e08-95be-b60bc313edb5","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"351344fc-4061-42eb-b58e-da2576a24b60","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57444","PortSpecifier":{"PortValue":57444}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"351344fc-4061-42eb-b58e-da2576a24b60","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"351344fc-4061-42eb-b58e-da2576a24b60","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57444","PortSpecifier":{"PortValue":57444}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":726775104},"http":{"id":"351344fc-4061-42eb-b58e-da2576a24b60","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"351344fc-4061-42eb-b58e-da2576a24b60","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"351344fc-4061-42eb-b58e-da2576a24b60","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"351344fc-4061-42eb-b58e-da2576a24b60","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"351344fc-4061-42eb-b58e-da2576a24b60","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5a8872bc-2d2e-43ac-975d-18492aac734f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":734088582},"http":{"id":"5a8872bc-2d2e-43ac-975d-18492aac734f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"5a8872bc-2d2e-43ac-975d-18492aac734f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"5a8872bc-2d2e-43ac-975d-18492aac734f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":734088582,"seconds":1781293853},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.55:46496","port":46496}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"4b8882e4-4bf7-46f6-b452-7fca86222c78","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5a8872bc-2d2e-43ac-975d-18492aac734f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57458","PortSpecifier":{"PortValue":57458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6b17a19f-f4fd-438b-bf26-68914458d744","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57458","PortSpecifier":{"PortValue":57458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":762635901},"http":{"id":"6b17a19f-f4fd-438b-bf26-68914458d744","method":"GET","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6b17a19f-f4fd-438b-bf26-68914458d744","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"aa92c643-27ef-4059-b99e-7ceea49d8982","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.55:46496","PortSpecifier":{"PortValue":46496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":769742690},"http":{"id":"aa92c643-27ef-4059-b99e-7ceea49d8982","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-H9yCov9v74mo5GFL_m2jteJZlmzepTMF5SmwiTtFZpgNzkhYm8xaOtizbaTX","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNmR4eDkKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.34~maas-default-gateway-openshift-default-687ff6996-6dxx9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"aa92c643-27ef-4059-b99e-7ceea49d8982"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"aa92c643-27ef-4059-b99e-7ceea49d8982","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":769742690,"seconds":1781293853},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.55:46496","port":46496}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"4b8882e4-4bf7-46f6-b452-7fca86222c78","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"aa92c643-27ef-4059-b99e-7ceea49d8982","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57464","PortSpecifier":{"PortValue":57464}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"65d2860f-1a52-4a28-b19d-775eeb29b059","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.12:57464","PortSpecifier":{"PortValue":57464}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293853,"nanos":860105919},"http":{"id":"65d2860f-1a52-4a28-b19d-775eeb29b059","method":"POST","headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e49a592d-21d6-0b6a-3aab-e892351ae116","preferred_username":"alice_lead","scope":"profile email","sid":"nBKz4nrCHaFDB2zYuEz1mEql","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294153,"groups":["Engineering","Project-Alpha"],"iat":1781293853,"iss":"https://keycloak.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e49a592d-21d6-0b6a-3aab-e892351ae116","preferred_username":"alice_lead","scope":"profile email","sid":"nBKz4nrCHaFDB2zYuEz1mEql","sub":"4b198563-02d0-4ba8-bb55-d09154fc8a7d","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.34:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.6dd39c67-6c90-474c-aa84-6bfafaca1ded.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T19:50:53Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"65d2860f-1a52-4a28-b19d-775eeb29b059","authorized":true,"response":"OK"}