{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T00:11:07Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"debug","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-12T00:11:07Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:54724","PortSpecifier":{"PortValue":54724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:54724","PortSpecifier":{"PortValue":54724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223094,"nanos":618033586},"http":{"id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223394,"groups":["Engineering","Project-Alpha"],"iat":1781223094,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9dfd8f85-8a03-cfed-0f4c-9feff43b4718","preferred_username":"alice_lead","scope":"profile email","sid":"F9Fj-M8peA5AwE6PQ6SGWltJ","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223394,"groups":["Engineering","Project-Alpha"],"iat":1781223094,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9dfd8f85-8a03-cfed-0f4c-9feff43b4718","preferred_username":"alice_lead","scope":"profile email","sid":"F9Fj-M8peA5AwE6PQ6SGWltJ","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed2b762e-9d9a-4e69-9122-2d942aa2720d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47350","PortSpecifier":{"PortValue":47350}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4385a052-bd1f-4442-b873-a286a8c2300e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47350","PortSpecifier":{"PortValue":47350}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223094,"nanos":737874921},"http":{"id":"4385a052-bd1f-4442-b873-a286a8c2300e","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4385a052-bd1f-4442-b873-a286a8c2300e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer ****
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"216b54fb-3645-4484-93cf-f212f29a5fc0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47354","PortSpecifier":{"PortValue":47354}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"216b54fb-3645-4484-93cf-f212f29a5fc0","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"216b54fb-3645-4484-93cf-f212f29a5fc0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47354","PortSpecifier":{"PortValue":47354}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223094,"nanos":779802989},"http":{"id":"216b54fb-3645-4484-93cf-f212f29a5fc0","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.133.0.14","x-forwarded-host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"216b54fb-3645-4484-93cf-f212f29a5fc0"},"path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"216b54fb-3645-4484-93cf-f212f29a5fc0","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"216b54fb-3645-4484-93cf-f212f29a5fc0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"216b54fb-3645-4484-93cf-f212f29a5fc0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer ****
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"43869286-c170-43cd-8be6-348490dbd665","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47366","PortSpecifier":{"PortValue":47366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"43869286-c170-43cd-8be6-348490dbd665","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"43869286-c170-43cd-8be6-348490dbd665","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47366","PortSpecifier":{"PortValue":47366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223094,"nanos":808192000},"http":{"id":"43869286-c170-43cd-8be6-348490dbd665","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.14","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.133.0.14","x-forwarded-host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"43869286-c170-43cd-8be6-348490dbd665"},"path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"43869286-c170-43cd-8be6-348490dbd665","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T00:11:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"43869286-c170-43cd-8be6-348490dbd665","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer ****
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47378","PortSpecifier":{"PortValue":47378}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47378","PortSpecifier":{"PortValue":47378}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":179120792},"http":{"id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Site-Reliability"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ecada325-b100-0083-d0c2-ff42f430bd28","preferred_username":"bob_sre","scope":"profile email","sid":"NTUip0dYtHJL4cfiRt1JnksD","sub":"8f2bcf33-56f2-44fb-b197-22976261e0ba","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Site-Reliability"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ecada325-b100-0083-d0c2-ff42f430bd28","preferred_username":"bob_sre","scope":"profile email","sid":"NTUip0dYtHJL4cfiRt1JnksD","sub":"8f2bcf33-56f2-44fb-b197-22976261e0ba","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e2a0bac0-2bd5-4dd3-8051-7a5c4537f144","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47388","PortSpecifier":{"PortValue":47388}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47388","PortSpecifier":{"PortValue":47388}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":401651536},"http":{"id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a986bc13-b6d4-4ad5-159f-ddb0134e0a67","preferred_username":"alice_lead","scope":"profile email","sid":"7bpNEuAMzbgmdQip4dSkv7Sw","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a986bc13-b6d4-4ad5-159f-ddb0134e0a67","preferred_username":"alice_lead","scope":"profile email","sid":"7bpNEuAMzbgmdQip4dSkv7Sw","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f5fe1f10-e5e1-472d-93dc-ccfb558c75b2","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70469636-4116-4b08-a14e-b4437c04f18b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47390","PortSpecifier":{"PortValue":47390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"70469636-4116-4b08-a14e-b4437c04f18b","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"70469636-4116-4b08-a14e-b4437c04f18b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47390","PortSpecifier":{"PortValue":47390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":437136960},"http":{"id":"70469636-4116-4b08-a14e-b4437c04f18b","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ\"}"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"70469636-4116-4b08-a14e-b4437c04f18b","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"70469636-4116-4b08-a14e-b4437c04f18b","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70469636-4116-4b08-a14e-b4437c04f18b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"70469636-4116-4b08-a14e-b4437c04f18b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7c850102-7f88-4a14-af2c-950dc5fc7009","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":463723501},"http":{"id":"7c850102-7f88-4a14-af2c-950dc5fc7009","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ\"}"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.30","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.30","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"7c850102-7f88-4a14-af2c-950dc5fc7009"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"7c850102-7f88-4a14-af2c-950dc5fc7009","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":463723501,"seconds":1781223095},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.30:48282","port":48282}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"fb808695-5f5d-4a9b-bdc3-2826a18841ce","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7c850102-7f88-4a14-af2c-950dc5fc7009","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47402","PortSpecifier":{"PortValue":47402}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47402","PortSpecifier":{"PortValue":47402}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":501498611},"http":{"id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1USEHRyDL8yfsXFsK_VfKpl7igIJlThCgTmetp1e6IOFoGioY9yBmVNJxRWTQ\"}"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"fb808695-5f5d-4a9b-bdc3-2826a18841ce","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e5b7123-245f-43ea-88d7-e62da8dafaa0","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47414","PortSpecifier":{"PortValue":47414}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c7a2845e-421a-4aca-a217-8be4f0596925","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47414","PortSpecifier":{"PortValue":47414}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":603966613},"http":{"id":"c7a2845e-421a-4aca-a217-8be4f0596925","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e323861a-120e-5c5f-7189-08a4761bbf91","preferred_username":"alice_lead","scope":"profile email","sid":"OFPVsFlyetXCibguyhLv-8LS","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e323861a-120e-5c5f-7189-08a4761bbf91","preferred_username":"alice_lead","scope":"profile email","sid":"OFPVsFlyetXCibguyhLv-8LS","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c7a2845e-421a-4aca-a217-8be4f0596925","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47416","PortSpecifier":{"PortValue":47416}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","method":"DELETE","path":"/maas-api/v1/api-keys/cca9a859-9147-426f-8e74-6ddb1cdcfb0f","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47416","PortSpecifier":{"PortValue":47416}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223095,"nanos":639084065},"http":{"id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","method":"DELETE","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cca9a859-9147-426f-8e74-6ddb1cdcfb0f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e323861a-120e-5c5f-7189-08a4761bbf91","preferred_username":"alice_lead","scope":"profile email","sid":"OFPVsFlyetXCibguyhLv-8LS","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223395,"groups":["Engineering","Project-Alpha"],"iat":1781223095,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e323861a-120e-5c5f-7189-08a4761bbf91","preferred_username":"alice_lead","scope":"profile email","sid":"OFPVsFlyetXCibguyhLv-8LS","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/cca9a859-9147-426f-8e74-6ddb1cdcfb0f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:35Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b0e46c-5325-427c-9b6e-ca0cef14722c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47430","PortSpecifier":{"PortValue":47430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f20c560c-c329-4206-80e4-81f9a03aee13","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47430","PortSpecifier":{"PortValue":47430}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223098,"nanos":675783109},"http":{"id":"f20c560c-c329-4206-80e4-81f9a03aee13","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1210B6KUI6nKoM1ta_H66CoDQLq3t1SDi0CzlvjoLLtXhPV3I1hCg4Tprih5h"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1210B6KUI6nKoM1ta_H66CoDQLq3t1SDi0CzlvjoLLtXhPV3I1hCg4Tprih5h\"}"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f20c560c-c329-4206-80e4-81f9a03aee13","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47446","PortSpecifier":{"PortValue":47446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e06345fa-31cf-4089-b8b9-c253bfec3407","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47446","PortSpecifier":{"PortValue":47446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223098,"nanos":813378048},"http":{"id":"e06345fa-31cf-4089-b8b9-c253bfec3407","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e06345fa-31cf-4089-b8b9-c253bfec3407","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"api-keys\""},{"WWW-Authenticate":"Bearer ****
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47454","PortSpecifier":{"PortValue":47454}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"acd01af9-01f1-494f-9384-57b259dbd5eb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47454","PortSpecifier":{"PortValue":47454}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223098,"nanos":980802315},"http":{"id":"acd01af9-01f1-494f-9384-57b259dbd5eb","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223398,"groups":["Engineering","Project-Alpha"],"iat":1781223098,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9f225bf-4957-551c-2254-5a8a072a6b12","preferred_username":"alice_lead","scope":"profile email","sid":"ShnvgK3moTcWb2siaJOJCpnG","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223398,"groups":["Engineering","Project-Alpha"],"iat":1781223098,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9f225bf-4957-551c-2254-5a8a072a6b12","preferred_username":"alice_lead","scope":"profile email","sid":"ShnvgK3moTcWb2siaJOJCpnG","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:38Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"acd01af9-01f1-494f-9384-57b259dbd5eb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47458","PortSpecifier":{"PortValue":47458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47458","PortSpecifier":{"PortValue":47458}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":12381084},"http":{"id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223398,"groups":["Site-Reliability"],"iat":1781223098,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fc0311d8-9650-634f-4707-60a4c1db6a96","preferred_username":"bob_sre","scope":"profile email","sid":"ju10eP92JVpbIHYxjJe5DECN","sub":"8f2bcf33-56f2-44fb-b197-22976261e0ba","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223398,"groups":["Site-Reliability"],"iat":1781223098,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fc0311d8-9650-634f-4707-60a4c1db6a96","preferred_username":"bob_sre","scope":"profile email","sid":"ju10eP92JVpbIHYxjJe5DECN","sub":"8f2bcf33-56f2-44fb-b197-22976261e0ba","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c4a5d461-01e7-42de-8c43-40315f9d9ff9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47474","PortSpecifier":{"PortValue":47474}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47474","PortSpecifier":{"PortValue":47474}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":105369964},"http":{"id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"584d6aa1-8298-4762-ac4e-c61f51c0ceed","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47478","PortSpecifier":{"PortValue":47478}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"54aefcd3-8191-4e10-9666-c126ad193ef2","method":"DELETE","path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47478","PortSpecifier":{"PortValue":47478}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":138485029},"http":{"id":"54aefcd3-8191-4e10-9666-c126ad193ef2","method":"DELETE","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54aefcd3-8191-4e10-9666-c126ad193ef2","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47482","PortSpecifier":{"PortValue":47482}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0072d07b-d952-4e9d-a715-bf1463439fd5","method":"DELETE","path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47482","PortSpecifier":{"PortValue":47482}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":170605750},"http":{"id":"0072d07b-d952-4e9d-a715-bf1463439fd5","method":"DELETE","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c116d4b8-d555-f367-5783-3a59ae172faf","preferred_username":"alice_lead","scope":"profile email","sid":"2Jmp9rgStFG1Mw4B9IH8Q2Og","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/9eae30f1-eba0-4df6-9f48-6656d4bbad30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0072d07b-d952-4e9d-a715-bf1463439fd5","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47486","PortSpecifier":{"PortValue":47486}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47486","PortSpecifier":{"PortValue":47486}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":263114945},"http":{"id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3a097d55-3816-d947-8db0-60be959019c9","preferred_username":"alice_lead","scope":"profile email","sid":"KgNVzrQ3EuT-CkfRnAqFhbUM","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3a097d55-3816-d947-8db0-60be959019c9","preferred_username":"alice_lead","scope":"profile email","sid":"KgNVzrQ3EuT-CkfRnAqFhbUM","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"407be868-f8c0-47e6-9fbc-00a16bf2071b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47502","PortSpecifier":{"PortValue":47502}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47502","PortSpecifier":{"PortValue":47502}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":295156044},"http":{"id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YmNL6mgcLM4n47aQ_vgxzuxwjCN3RBcR9MQs7FHOdxciI5yAWF0mbOJQLmIJ"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YmNL6mgcLM4n47aQ_vgxzuxwjCN3RBcR9MQs7FHOdxciI5yAWF0mbOJQLmIJ\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e012e3c8-7d24-4558-adf8-ddd4ede328ef","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f831b085-5af2-4be1-be53-361b4088178c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f831b085-5af2-4be1-be53-361b4088178c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f831b085-5af2-4be1-be53-361b4088178c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":302832086},"http":{"id":"f831b085-5af2-4be1-be53-361b4088178c","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1YmNL6mgcLM4n47aQ_vgxzuxwjCN3RBcR9MQs7FHOdxciI5yAWF0mbOJQLmIJ"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1YmNL6mgcLM4n47aQ_vgxzuxwjCN3RBcR9MQs7FHOdxciI5yAWF0mbOJQLmIJ\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f831b085-5af2-4be1-be53-361b4088178c","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1YmNL6mgcLM4n47aQ_vgxzuxwjCN3RBcR9MQs7FHOdxciI5yAWF0mbOJQLmIJ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.30","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.30","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f831b085-5af2-4be1-be53-361b4088178c"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f831b085-5af2-4be1-be53-361b4088178c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":302832086,"seconds":1781223099},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.30:48282","port":48282}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f831b085-5af2-4be1-be53-361b4088178c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c2ceaab9-005e-4a32-a854-ed0e955c9640","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f831b085-5af2-4be1-be53-361b4088178c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f831b085-5af2-4be1-be53-361b4088178c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47512","PortSpecifier":{"PortValue":47512}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47512","PortSpecifier":{"PortValue":47512}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":397110294},"http":{"id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:78be715d-3710-f232-12df-c8c788092f20","preferred_username":"alice_lead","scope":"profile email","sid":"w0bOt3TmA44KNYVxPG5E7Bfr","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:78be715d-3710-f232-12df-c8c788092f20","preferred_username":"alice_lead","scope":"profile email","sid":"w0bOt3TmA44KNYVxPG5E7Bfr","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1bddc6f-3a47-4002-aa4a-12f05f3d58cf","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47528","PortSpecifier":{"PortValue":47528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47528","PortSpecifier":{"PortValue":47528}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":428365435},"http":{"id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"fb0ba7a6-4fe8-4fc0-864e-e846c3c5357f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47536","PortSpecifier":{"PortValue":47536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"561da487-78c6-43ad-ad8c-c72d202230c4","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47536","PortSpecifier":{"PortValue":47536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":461309868},"http":{"id":"561da487-78c6-43ad-ad8c-c72d202230c4","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"561da487-78c6-43ad-ad8c-c72d202230c4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a163761f-2397-9955-97e4-12e5c60d0b3f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":469552201},"http":{"id":"a163761f-2397-9955-97e4-12e5c60d0b3f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-UEGuAuijJDBJBiCa_W05YL71lkGKEKg3nE3B3LAt7S1AkbiNpJ7OvDD8Viuv","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.30","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.30","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a163761f-2397-9955-97e4-12e5c60d0b3f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a163761f-2397-9955-97e4-12e5c60d0b3f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":469552201,"seconds":1781223099},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.30:48282","port":48282}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"bb3ca2d7-affe-4182-8626-2d0b4b5f35c9","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a163761f-2397-9955-97e4-12e5c60d0b3f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47546","PortSpecifier":{"PortValue":47546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8d2788a4-adae-4a1e-9fec-b29305824248","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47546","PortSpecifier":{"PortValue":47546}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":567049501},"http":{"id":"8d2788a4-adae-4a1e-9fec-b29305824248","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3b3ee1da-c0c0-ad13-2746-10b4fc21dd87","preferred_username":"alice_lead","scope":"profile email","sid":"vJ5yX8Ps86FcTpoRthnZu-1E","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3b3ee1da-c0c0-ad13-2746-10b4fc21dd87","preferred_username":"alice_lead","scope":"profile email","sid":"vJ5yX8Ps86FcTpoRthnZu-1E","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d2788a4-adae-4a1e-9fec-b29305824248","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47562","PortSpecifier":{"PortValue":47562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47562","PortSpecifier":{"PortValue":47562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":599962192},"http":{"id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6ed26fa9-f624-49b7-bdc8-101b96d86753","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":607456426},"http":{"id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.30","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.30","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"9230fc3b-06d4-4589-abc7-51f1d14ed674"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":607456426,"seconds":1781223099},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.30:48282","port":48282}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"73504bab-1719-4efc-a42f-7b280ad44d9a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9230fc3b-06d4-4589-abc7-51f1d14ed674","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47566","PortSpecifier":{"PortValue":47566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"805a8ca1-290e-492c-8ee2-a967dd438e68","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47566","PortSpecifier":{"PortValue":47566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":640557732},"http":{"id":"805a8ca1-290e-492c-8ee2-a967dd438e68","method":"GET","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"805a8ca1-290e-492c-8ee2-a967dd438e68","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.30:48282","PortSpecifier":{"PortValue":48282}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":647997938},"http":{"id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1NuCncwA9C2Hzj6YI_GT9sA9Rnc9GEvEE23qM4rD2L419CrSJEAVN2D5DXMUe","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.30","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTV0cjd0CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.26~maas-default-gateway-openshift-default-8559cd5744-5tr7t.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.30","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"6182a0a3-b238-429e-ab54-e7e0e596bd46"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":647997938,"seconds":1781223099},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.30:48282","port":48282}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"73504bab-1719-4efc-a42f-7b280ad44d9a","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6182a0a3-b238-429e-ab54-e7e0e596bd46","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47578","PortSpecifier":{"PortValue":47578}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.14:47578","PortSpecifier":{"PortValue":47578}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781223099,"nanos":746892310},"http":{"id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","method":"POST","headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a2c2c884-b229-8f5f-891d-db4e10d37eb4","preferred_username":"alice_lead","scope":"profile email","sid":"MrmicXbLnpvPT7qfvJ7gx55o","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781223399,"groups":["Engineering","Project-Alpha"],"iat":1781223099,"iss":"https://keycloak.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a2c2c884-b229-8f5f-891d-db4e10d37eb4","preferred_username":"alice_lead","scope":"profile email","sid":"MrmicXbLnpvPT7qfvJ7gx55o","sub":"40e1aa09-b4ed-4579-a187-de3e3ddf1260","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d4c1ac57-9407-48f9-88fe-76e780c7b1ea.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-12T00:11:39Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"198179d4-fc2c-42a2-9354-86eb1f2e6f73","authorized":true,"response":"OK"}