{"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T15:50:56Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"debug","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-14T15:50:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44540","PortSpecifier":{"PortValue":44540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44540","PortSpecifier":{"PortValue":44540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452285,"nanos":68647634},"http":{"id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452585,"groups":["Engineering","Project-Alpha"],"iat":1781452285,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:219919f6-d811-b7d7-de8f-be4c6d99c046","preferred_username":"alice_lead","scope":"email profile","sid":"Q1kCv3DT9wBRvtKaNcf_lpnR","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452585,"groups":["Engineering","Project-Alpha"],"iat":1781452285,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:219919f6-d811-b7d7-de8f-be4c6d99c046","preferred_username":"alice_lead","scope":"email profile","sid":"Q1kCv3DT9wBRvtKaNcf_lpnR","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b13016d-2eb9-43b9-8a74-488c6bf93093","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"392306b0-84cc-457e-aeea-31fb754ad208","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44552","PortSpecifier":{"PortValue":44552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"392306b0-84cc-457e-aeea-31fb754ad208","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"392306b0-84cc-457e-aeea-31fb754ad208","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44552","PortSpecifier":{"PortValue":44552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452285,"nanos":252813670},"http":{"id":"392306b0-84cc-457e-aeea-31fb754ad208","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"392306b0-84cc-457e-aeea-31fb754ad208","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"392306b0-84cc-457e-aeea-31fb754ad208","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"392306b0-84cc-457e-aeea-31fb754ad208","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"392306b0-84cc-457e-aeea-31fb754ad208","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"392306b0-84cc-457e-aeea-31fb754ad208","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44562","PortSpecifier":{"PortValue":44562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44562","PortSpecifier":{"PortValue":44562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452285,"nanos":298214707},"http":{"id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.134.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.134.0.10","x-forwarded-host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"86bbddad-8f46-44ef-a700-2a3fc56951e5"},"path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86bbddad-8f46-44ef-a700-2a3fc56951e5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44566","PortSpecifier":{"PortValue":44566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44566","PortSpecifier":{"PortValue":44566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452285,"nanos":326130555},"http":{"id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.134.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.134.0.10","x-forwarded-host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0"},"path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ddc0aaaf-3322-446c-97db-cf75d36fcae0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44568","PortSpecifier":{"PortValue":44568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44568","PortSpecifier":{"PortValue":44568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452285,"nanos":969368007},"http":{"id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452585,"groups":["Site-Reliability"],"iat":1781452285,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:18ccc3f3-fb19-f6ed-d1ce-079e3f9642f1","preferred_username":"bob_sre","scope":"email profile","sid":"r3HSRVzw6XTypu4HG19AA7UO","sub":"a801d8f4-b4a4-4378-b862-d05b4d7203be","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452585,"groups":["Site-Reliability"],"iat":1781452285,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:18ccc3f3-fb19-f6ed-d1ce-079e3f9642f1","preferred_username":"bob_sre","scope":"email profile","sid":"r3HSRVzw6XTypu4HG19AA7UO","sub":"a801d8f4-b4a4-4378-b862-d05b4d7203be","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fc3603e-5a5d-45f0-9786-da311d51edd6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44584","PortSpecifier":{"PortValue":44584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44584","PortSpecifier":{"PortValue":44584}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":361370577},"http":{"id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db261f07-e236-2fab-e333-49ef824c8e3f","preferred_username":"alice_lead","scope":"email profile","sid":"H_jiVRdKAFLYRc1r-7SrGylY","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:db261f07-e236-2fab-e333-49ef824c8e3f","preferred_username":"alice_lead","scope":"email profile","sid":"H_jiVRdKAFLYRc1r-7SrGylY","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f1f6f644-8e2d-4a21-be69-64dfd639541c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44590","PortSpecifier":{"PortValue":44590}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"875473ca-7480-45af-9d16-7c9a1d3c2939","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44590","PortSpecifier":{"PortValue":44590}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":389624104},"http":{"id":"875473ca-7480-45af-9d16-7c9a1d3c2939","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B\"}"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"875473ca-7480-45af-9d16-7c9a1d3c2939","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:36992","PortSpecifier":{"PortValue":36992}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:36992","PortSpecifier":{"PortValue":36992}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":406067574},"http":{"id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B\"}"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.33","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.33","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":406067574,"seconds":1781452286},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.33:36992","port":36992}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"bb285802-f315-4012-979c-fd0625dc0fac","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d1bfb81b-5421-4410-bc64-ffd1cf1d042a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44594","PortSpecifier":{"PortValue":44594}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cb986e8d-c328-49dc-b374-9531eda84dec","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44594","PortSpecifier":{"PortValue":44594}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":439015922},"http":{"id":"cb986e8d-c328-49dc-b374-9531eda84dec","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-RTsANRWX2VoHW00L_8rfUkol6CR1pgYZL9BOAAJhN9qPdoUZRQ54wz5k9y7B\"}"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"bb285802-f315-4012-979c-fd0625dc0fac","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cb986e8d-c328-49dc-b374-9531eda84dec","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44596","PortSpecifier":{"PortValue":44596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44596","PortSpecifier":{"PortValue":44596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":593270078},"http":{"id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f737df74-1273-6ccc-ec82-482ca3328810","preferred_username":"alice_lead","scope":"email profile","sid":"ooHaLgPAGvyrWu4LE9fZwt1I","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f737df74-1273-6ccc-ec82-482ca3328810","preferred_username":"alice_lead","scope":"email profile","sid":"ooHaLgPAGvyrWu4LE9fZwt1I","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3f3e3d38-2a6e-4939-a761-7f5b8765a01e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44608","PortSpecifier":{"PortValue":44608}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","method":"DELETE","path":"/maas-api/v1/api-keys/0c691ae9-683a-47a1-84fe-1c3bf1a975c6","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44608","PortSpecifier":{"PortValue":44608}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452286,"nanos":623344245},"http":{"id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","method":"DELETE","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0c691ae9-683a-47a1-84fe-1c3bf1a975c6",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f737df74-1273-6ccc-ec82-482ca3328810","preferred_username":"alice_lead","scope":"email profile","sid":"ooHaLgPAGvyrWu4LE9fZwt1I","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452586,"groups":["Engineering","Project-Alpha"],"iat":1781452286,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f737df74-1273-6ccc-ec82-482ca3328810","preferred_username":"alice_lead","scope":"email profile","sid":"ooHaLgPAGvyrWu4LE9fZwt1I","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/0c691ae9-683a-47a1-84fe-1c3bf1a975c6",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"24338cf4-b74e-4f3c-b345-c8e1e09c3f76","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44616","PortSpecifier":{"PortValue":44616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e9a944c0-05a8-4825-99e2-9d611d603d03","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44616","PortSpecifier":{"PortValue":44616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452289,"nanos":654939662},"http":{"id":"e9a944c0-05a8-4825-99e2-9d611d603d03","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-FFlbeC4VzDod3tRP_R3gATkF0Ty1W2r3u1m1U6J5YkgDnkSwWMNoPiWhPUjC"} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-FFlbeC4VzDod3tRP_R3gATkF0Ty1W2r3u1m1U6J5YkgDnkSwWMNoPiWhPUjC\"}"} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9a944c0-05a8-4825-99e2-9d611d603d03","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44628","PortSpecifier":{"PortValue":44628}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44628","PortSpecifier":{"PortValue":44628}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452289,"nanos":855957294},"http":{"id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-14T15:51:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a06ef1c0-7cdd-4fcf-a656-2b98b0fc47fa","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44636","PortSpecifier":{"PortValue":44636}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44636","PortSpecifier":{"PortValue":44636}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":134664168},"http":{"id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452589,"groups":["Engineering","Project-Alpha"],"iat":1781452289,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bf8091b-185c-fd44-4aec-401b0b7dc45b","preferred_username":"alice_lead","scope":"email profile","sid":"zSW2NG07ccrBHC4b4m0D59wI","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452589,"groups":["Engineering","Project-Alpha"],"iat":1781452289,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bf8091b-185c-fd44-4aec-401b0b7dc45b","preferred_username":"alice_lead","scope":"email profile","sid":"zSW2NG07ccrBHC4b4m0D59wI","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3c02857a-6d64-4c09-86dc-f58ceb3fb0a4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44650","PortSpecifier":{"PortValue":44650}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"60358778-b361-4db3-a0cb-53d2be5cd02e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44650","PortSpecifier":{"PortValue":44650}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":162015439},"http":{"id":"60358778-b361-4db3-a0cb-53d2be5cd02e","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Site-Reliability"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d131533-c2fd-bfcc-24c9-cc57eda259db","preferred_username":"bob_sre","scope":"email profile","sid":"RVeY_gC_x8J59UR3kCC60zKc","sub":"a801d8f4-b4a4-4378-b862-d05b4d7203be","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Site-Reliability"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d131533-c2fd-bfcc-24c9-cc57eda259db","preferred_username":"bob_sre","scope":"email profile","sid":"RVeY_gC_x8J59UR3kCC60zKc","sub":"a801d8f4-b4a4-4378-b862-d05b4d7203be","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"60358778-b361-4db3-a0cb-53d2be5cd02e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44662","PortSpecifier":{"PortValue":44662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44662","PortSpecifier":{"PortValue":44662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":312530922},"http":{"id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5ee8ae79-aa17-4b86-b0c2-69d5ef1f6f0e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44664","PortSpecifier":{"PortValue":44664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","method":"DELETE","path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44664","PortSpecifier":{"PortValue":44664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":343157528},"http":{"id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","method":"DELETE","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5fb6b576-adb7-4a2a-9ad1-ec1d629cd5dd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44680","PortSpecifier":{"PortValue":44680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","method":"DELETE","path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44680","PortSpecifier":{"PortValue":44680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":370670606},"http":{"id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","method":"DELETE","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:31a1039c-c12d-72ae-e272-63cfdad6276b","preferred_username":"alice_lead","scope":"email profile","sid":"q93P6ToOpJiV_VNJyNexKN8n","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f5509334-3d12-45a3-8b4d-c59f27b789dd",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7ac3f3a8-d801-4728-be9e-8c18bafee0ff","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3e00224e-7c44-4757-bdce-02d69d085335","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44692","PortSpecifier":{"PortValue":44692}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3e00224e-7c44-4757-bdce-02d69d085335","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3e00224e-7c44-4757-bdce-02d69d085335","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44692","PortSpecifier":{"PortValue":44692}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":529342070},"http":{"id":"3e00224e-7c44-4757-bdce-02d69d085335","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d40ea376-3830-74eb-6009-d3d5f1d91239","preferred_username":"alice_lead","scope":"email profile","sid":"qKf0Fn5Tnl3rrT3gvBiT9CxJ","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3e00224e-7c44-4757-bdce-02d69d085335","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d40ea376-3830-74eb-6009-d3d5f1d91239","preferred_username":"alice_lead","scope":"email profile","sid":"qKf0Fn5Tnl3rrT3gvBiT9CxJ","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e00224e-7c44-4757-bdce-02d69d085335","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3e00224e-7c44-4757-bdce-02d69d085335","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3e00224e-7c44-4757-bdce-02d69d085335","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44704","PortSpecifier":{"PortValue":44704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44704","PortSpecifier":{"PortValue":44704}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":559197547},"http":{"id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-15LQnUTqnkkQghRZ0_rdB7OKcm9aryOPJrZ5a93eLgphNuCbOtCx8IdVsWdNk"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-15LQnUTqnkkQghRZ0_rdB7OKcm9aryOPJrZ5a93eLgphNuCbOtCx8IdVsWdNk\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3e294e72-60a3-4d37-bdde-48a1cb5479f9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"430be644-2aae-4539-8bd5-d501b7974752","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"430be644-2aae-4539-8bd5-d501b7974752","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"430be644-2aae-4539-8bd5-d501b7974752","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":573973369},"http":{"id":"430be644-2aae-4539-8bd5-d501b7974752","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-15LQnUTqnkkQghRZ0_rdB7OKcm9aryOPJrZ5a93eLgphNuCbOtCx8IdVsWdNk"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-15LQnUTqnkkQghRZ0_rdB7OKcm9aryOPJrZ5a93eLgphNuCbOtCx8IdVsWdNk\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"430be644-2aae-4539-8bd5-d501b7974752","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-15LQnUTqnkkQghRZ0_rdB7OKcm9aryOPJrZ5a93eLgphNuCbOtCx8IdVsWdNk","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.33","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.33","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"430be644-2aae-4539-8bd5-d501b7974752"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"430be644-2aae-4539-8bd5-d501b7974752","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":573973369,"seconds":1781452290},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.33:45228","port":45228}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"430be644-2aae-4539-8bd5-d501b7974752","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"23e45857-ce10-4e70-909b-8aeb2f96450f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"430be644-2aae-4539-8bd5-d501b7974752","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"430be644-2aae-4539-8bd5-d501b7974752","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44710","PortSpecifier":{"PortValue":44710}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44710","PortSpecifier":{"PortValue":44710}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":722981690},"http":{"id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34ad359f-b70d-3ebc-f9fc-18247c037b31","preferred_username":"alice_lead","scope":"email profile","sid":"ZaTSaRvZfVlugxqayz7-0NG_","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:34ad359f-b70d-3ebc-f9fc-18247c037b31","preferred_username":"alice_lead","scope":"email profile","sid":"ZaTSaRvZfVlugxqayz7-0NG_","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1bdd2d44-4715-43ab-a8da-63eb18de08ae","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7310b211-4627-4f02-955d-5274c96f5368","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44724","PortSpecifier":{"PortValue":44724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7310b211-4627-4f02-955d-5274c96f5368","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7310b211-4627-4f02-955d-5274c96f5368","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44724","PortSpecifier":{"PortValue":44724}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":751468787},"http":{"id":"7310b211-4627-4f02-955d-5274c96f5368","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7310b211-4627-4f02-955d-5274c96f5368","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7310b211-4627-4f02-955d-5274c96f5368","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7310b211-4627-4f02-955d-5274c96f5368","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7310b211-4627-4f02-955d-5274c96f5368","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44732","PortSpecifier":{"PortValue":44732}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44732","PortSpecifier":{"PortValue":44732}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":778202004},"http":{"id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ee27587f-c7e3-4f5f-b1a1-0edf3dd2b124","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":784076660},"http":{"id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1C8fpF24tuHzsVHw2_QcPaFgtqK8PPtdhsy4SPBxkWxsnkGOCpNAbR0Eoefgx","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.33","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.33","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":784076660,"seconds":1781452290},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.33:45228","port":45228}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"265399ff-29bb-4ff3-b068-2a0fbab810ee","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cb603b83-c0f7-4c6c-87ac-24cfe661ddee","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44742","PortSpecifier":{"PortValue":44742}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44742","PortSpecifier":{"PortValue":44742}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":936564432},"http":{"id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4f2f84c9-1330-d90c-974a-f64b299894b5","preferred_username":"alice_lead","scope":"email profile","sid":"lGrswA3bG6UjnRnfSu-PwMq8","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452590,"groups":["Engineering","Project-Alpha"],"iat":1781452290,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4f2f84c9-1330-d90c-974a-f64b299894b5","preferred_username":"alice_lead","scope":"email profile","sid":"lGrswA3bG6UjnRnfSu-PwMq8","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7af2eb94-a9b5-4016-9fda-14c3d6941574","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44744","PortSpecifier":{"PortValue":44744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"86c01be7-6c2f-407e-a939-0bf92b156730","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44744","PortSpecifier":{"PortValue":44744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":963682115},"http":{"id":"86c01be7-6c2f-407e-a939-0bf92b156730","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"86c01be7-6c2f-407e-a939-0bf92b156730","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99920b80-42fa-4687-94e3-28211b45d7df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"99920b80-42fa-4687-94e3-28211b45d7df","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99920b80-42fa-4687-94e3-28211b45d7df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452290,"nanos":969807784},"http":{"id":"99920b80-42fa-4687-94e3-28211b45d7df","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"99920b80-42fa-4687-94e3-28211b45d7df","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.33","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.33","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"99920b80-42fa-4687-94e3-28211b45d7df"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"99920b80-42fa-4687-94e3-28211b45d7df","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":969807784,"seconds":1781452290},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.33:45228","port":45228}}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99920b80-42fa-4687-94e3-28211b45d7df","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ffd1f3ef-bdb3-4568-9a41-1d34d203e34c","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99920b80-42fa-4687-94e3-28211b45d7df","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99920b80-42fa-4687-94e3-28211b45d7df","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44746","PortSpecifier":{"PortValue":44746}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"82e0c49c-e2df-485c-8247-20a534e88b14","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44746","PortSpecifier":{"PortValue":44746}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452291,"nanos":1593698},"http":{"id":"82e0c49c-e2df-485c-8247-20a534e88b14","method":"GET","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr\"}"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"82e0c49c-e2df-485c-8247-20a534e88b14","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.33:45228","PortSpecifier":{"PortValue":45228}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452291,"nanos":7940514},"http":{"id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr\"}"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1Pq83yn4f13WPZfaE_3y6BHgf8Wo27UK9GBIAdRb8whnfh8iQTSI1Ngf1lhIr","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.33","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtOWpybmwKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.48~maas-default-gateway-openshift-default-687ff6996-9jrnl.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.33","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0decef4a-fc4f-46f3-b77b-b0a416b19582"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":7940514,"seconds":1781452291},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.33:45228","port":45228}}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"ffd1f3ef-bdb3-4568-9a41-1d34d203e34c","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0decef4a-fc4f-46f3-b77b-b0a416b19582","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44754","PortSpecifier":{"PortValue":44754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.10:44754","PortSpecifier":{"PortValue":44754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.48:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781452291,"nanos":161486881},"http":{"id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","method":"POST","headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452591,"groups":["Engineering","Project-Alpha"],"iat":1781452291,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:de62e840-4ad3-0951-c306-da46bcab97b2","preferred_username":"alice_lead","scope":"email profile","sid":"2ZNH3ySUo9a42DQi01tSzoeQ","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781452591,"groups":["Engineering","Project-Alpha"],"iat":1781452291,"iss":"https://keycloak.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:de62e840-4ad3-0951-c306-da46bcab97b2","preferred_username":"alice_lead","scope":"email profile","sid":"2ZNH3ySUo9a42DQi01tSzoeQ","sub":"628dcaec-e5eb-4b3e-aa67-6912f9d6c830","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.48:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.f70ba1ba-a79a-46d0-b47a-f1c0dac3ff4c.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-14T15:51:31Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"815af89a-a1ad-4e46-9fd6-0ca93061fd62","authorized":true,"response":"OK"}