{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:58:29Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37974","PortSpecifier":{"PortValue":37974}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37974","PortSpecifier":{"PortValue":37974}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513944,"nanos":293882188},"http":{"id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514244,"groups":["Engineering","Project-Alpha"],"iat":1781513944,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:66904350-24e8-d5ec-46c2-ecafefc5a6d8","preferred_username":"alice_lead","scope":"profile email","sid":"dddOZH704xzSv5NqjYfm18XS","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514244,"groups":["Engineering","Project-Alpha"],"iat":1781513944,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:66904350-24e8-d5ec-46c2-ecafefc5a6d8","preferred_username":"alice_lead","scope":"profile email","sid":"dddOZH704xzSv5NqjYfm18XS","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"52bb67e0-b180-4d21-bfbe-1a1b7bfca0a3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37984","PortSpecifier":{"PortValue":37984}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"46b28c4d-050b-475a-b214-c57bb025bd9c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37984","PortSpecifier":{"PortValue":37984}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513944,"nanos":457921868},"http":{"id":"46b28c4d-050b-475a-b214-c57bb025bd9c","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46b28c4d-050b-475a-b214-c57bb025bd9c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7352a496-1355-424f-9666-ca5edef225d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37986","PortSpecifier":{"PortValue":37986}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7352a496-1355-424f-9666-ca5edef225d4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7352a496-1355-424f-9666-ca5edef225d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:37986","PortSpecifier":{"PortValue":37986}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513944,"nanos":514590449},"http":{"id":"7352a496-1355-424f-9666-ca5edef225d4","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.133.0.13","x-forwarded-host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"7352a496-1355-424f-9666-ca5edef225d4"},"path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"7352a496-1355-424f-9666-ca5edef225d4","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7352a496-1355-424f-9666-ca5edef225d4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7352a496-1355-424f-9666-ca5edef225d4","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d76bba2a-638f-46ec-b785-75f1103c9741","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38002","PortSpecifier":{"PortValue":38002}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d76bba2a-638f-46ec-b785-75f1103c9741","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d76bba2a-638f-46ec-b785-75f1103c9741","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38002","PortSpecifier":{"PortValue":38002}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513944,"nanos":539552940},"http":{"id":"d76bba2a-638f-46ec-b785-75f1103c9741","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.133.0.13","x-forwarded-host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"d76bba2a-638f-46ec-b785-75f1103c9741"},"path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d76bba2a-638f-46ec-b785-75f1103c9741","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:59:04Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d76bba2a-638f-46ec-b785-75f1103c9741","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38004","PortSpecifier":{"PortValue":38004}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6ff93b37-d53b-4685-9f54-2784a5d36778","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38004","PortSpecifier":{"PortValue":38004}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":201836402},"http":{"id":"6ff93b37-d53b-4685-9f54-2784a5d36778","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Site-Reliability"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e079e2f9-6f20-1fd4-8ce6-dc8a4621b955","preferred_username":"bob_sre","scope":"profile email","sid":"9wxJ7hBB-mdfHuAERWL0u0r5","sub":"deddf428-1036-4d80-9c59-b288768f5adb","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Site-Reliability"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e079e2f9-6f20-1fd4-8ce6-dc8a4621b955","preferred_username":"bob_sre","scope":"profile email","sid":"9wxJ7hBB-mdfHuAERWL0u0r5","sub":"deddf428-1036-4d80-9c59-b288768f5adb","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6ff93b37-d53b-4685-9f54-2784a5d36778","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38012","PortSpecifier":{"PortValue":38012}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38012","PortSpecifier":{"PortValue":38012}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":584503042},"http":{"id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42ae97d2-06a6-0e6c-c934-6b5ba444fa27","preferred_username":"alice_lead","scope":"profile email","sid":"6xx9TX4mD6r7_ED7GhWlRgq_","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:42ae97d2-06a6-0e6c-c934-6b5ba444fa27","preferred_username":"alice_lead","scope":"profile email","sid":"6xx9TX4mD6r7_ED7GhWlRgq_","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f1d14aa-2050-44a9-9e83-244a71a4c9fa","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38016","PortSpecifier":{"PortValue":38016}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38016","PortSpecifier":{"PortValue":38016}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":615980700},"http":{"id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1\"}"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c5a9ab0-e976-4182-b12e-ec6041671f68","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":622476675},"http":{"id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1\"}"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.45","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.45","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":622476675,"seconds":1781513945},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.45:52142","port":52142}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"879e4a7c-3316-49af-9aed-00c3272009c3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b937cb49-11a3-4f54-b6f8-329ad29a0b41","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38024","PortSpecifier":{"PortValue":38024}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38024","PortSpecifier":{"PortValue":38024}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":658239837},"http":{"id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-esFTl2x0UVx2CION_l8meOa7Rx2r3heBOjqDyjojMRHxIyJtLDOkTENCfKi1\"}"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"879e4a7c-3316-49af-9aed-00c3272009c3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7e556d49-fd12-4432-bd7c-9641eb93f2cc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38028","PortSpecifier":{"PortValue":38028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4c628557-30a1-4f84-b292-3d5a33a8e061","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38028","PortSpecifier":{"PortValue":38028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":821835708},"http":{"id":"4c628557-30a1-4f84-b292-3d5a33a8e061","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7ecd0dd0-456f-6ce4-6311-edb290521b7d","preferred_username":"alice_lead","scope":"profile email","sid":"IyBjO3EHwXu-Oz33FRvm3xpH","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7ecd0dd0-456f-6ce4-6311-edb290521b7d","preferred_username":"alice_lead","scope":"profile email","sid":"IyBjO3EHwXu-Oz33FRvm3xpH","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4c628557-30a1-4f84-b292-3d5a33a8e061","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38030","PortSpecifier":{"PortValue":38030}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","method":"DELETE","path":"/maas-api/v1/api-keys/1311d1ba-5c6e-47b5-be9a-f906f14abc30","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38030","PortSpecifier":{"PortValue":38030}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513945,"nanos":852931083},"http":{"id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","method":"DELETE","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/1311d1ba-5c6e-47b5-be9a-f906f14abc30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7ecd0dd0-456f-6ce4-6311-edb290521b7d","preferred_username":"alice_lead","scope":"profile email","sid":"IyBjO3EHwXu-Oz33FRvm3xpH","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514245,"groups":["Engineering","Project-Alpha"],"iat":1781513945,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7ecd0dd0-456f-6ce4-6311-edb290521b7d","preferred_username":"alice_lead","scope":"profile email","sid":"IyBjO3EHwXu-Oz33FRvm3xpH","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/1311d1ba-5c6e-47b5-be9a-f906f14abc30",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1e7e1647-2c69-4b17-8038-ab19d6bc7130","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38036","PortSpecifier":{"PortValue":38036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38036","PortSpecifier":{"PortValue":38036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513948,"nanos":883602487},"http":{"id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-qgPe6CqR4qfPhBky_PDSkXUlxW0BxeXaPobgFYskRt08ZKQvQ6DyMEiJvCiF"}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-qgPe6CqR4qfPhBky_PDSkXUlxW0BxeXaPobgFYskRt08ZKQvQ6DyMEiJvCiF\"}"}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-15T08:59:08Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"253d2d30-27c2-4ac6-a9f3-5997550e6264","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38046","PortSpecifier":{"PortValue":38046}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"319ff567-0c80-4578-b2a3-a7c13657118f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38046","PortSpecifier":{"PortValue":38046}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":72733410},"http":{"id":"319ff567-0c80-4578-b2a3-a7c13657118f","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"319ff567-0c80-4578-b2a3-a7c13657118f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38062","PortSpecifier":{"PortValue":38062}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38062","PortSpecifier":{"PortValue":38062}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":365207880},"http":{"id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b948b0d5-b2a3-151f-0656-7818f92e56b8","preferred_username":"alice_lead","scope":"profile email","sid":"Hf_ht45Cv4MsFbOvKMr61Old","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b948b0d5-b2a3-151f-0656-7818f92e56b8","preferred_username":"alice_lead","scope":"profile email","sid":"Hf_ht45Cv4MsFbOvKMr61Old","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"686c77df-489a-47ce-b6bc-7df52ec7aeff","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38074","PortSpecifier":{"PortValue":38074}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38074","PortSpecifier":{"PortValue":38074}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":397610588},"http":{"id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Site-Reliability"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5e4c509a-db74-1e70-0697-180d2faf459a","preferred_username":"bob_sre","scope":"profile email","sid":"Va9T1WDsRuaDX6AfbTCuhQYG","sub":"deddf428-1036-4d80-9c59-b288768f5adb","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Site-Reliability"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5e4c509a-db74-1e70-0697-180d2faf459a","preferred_username":"bob_sre","scope":"profile email","sid":"Va9T1WDsRuaDX6AfbTCuhQYG","sub":"deddf428-1036-4d80-9c59-b288768f5adb","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e234f83b-701b-4d45-a6af-5e7eb2fb5529","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38084","PortSpecifier":{"PortValue":38084}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d167b81c-a823-4494-9680-6ee44157d3a3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38084","PortSpecifier":{"PortValue":38084}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":553563255},"http":{"id":"d167b81c-a823-4494-9680-6ee44157d3a3","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d167b81c-a823-4494-9680-6ee44157d3a3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38094","PortSpecifier":{"PortValue":38094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f4ef801a-230c-436a-b777-27312aeca2b9","method":"DELETE","path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:38094","PortSpecifier":{"PortValue":38094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":583213498},"http":{"id":"f4ef801a-230c-436a-b777-27312aeca2b9","method":"DELETE","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f4ef801a-230c-436a-b777-27312aeca2b9","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59e8085f-beda-440a-80b1-b075d9907088","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49120","PortSpecifier":{"PortValue":49120}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"59e8085f-beda-440a-80b1-b075d9907088","method":"DELETE","path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"59e8085f-beda-440a-80b1-b075d9907088","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49120","PortSpecifier":{"PortValue":49120}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":608447177},"http":{"id":"59e8085f-beda-440a-80b1-b075d9907088","method":"DELETE","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"59e8085f-beda-440a-80b1-b075d9907088","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8de8fb11-52c3-ed09-0d1e-8062acab4bd3","preferred_username":"alice_lead","scope":"profile email","sid":"fT1ylqJG6TFGCqh9v4dhJo7R","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/f37f4dc8-606a-4b34-a69e-2ec3b3ba7640",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"59e8085f-beda-440a-80b1-b075d9907088","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59e8085f-beda-440a-80b1-b075d9907088","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"59e8085f-beda-440a-80b1-b075d9907088","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49126","PortSpecifier":{"PortValue":49126}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49126","PortSpecifier":{"PortValue":49126}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":760338251},"http":{"id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cfba23e2-98d2-b844-70ac-0488267a5eca","preferred_username":"alice_lead","scope":"profile email","sid":"IzpuIPggNegE4mZarOrdlOFd","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cfba23e2-98d2-b844-70ac-0488267a5eca","preferred_username":"alice_lead","scope":"profile email","sid":"IzpuIPggNegE4mZarOrdlOFd","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2db5a310-f68a-481b-ac4e-73f6f35967fd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"892db454-c128-42fc-aff1-c028f80475d1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49138","PortSpecifier":{"PortValue":49138}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"892db454-c128-42fc-aff1-c028f80475d1","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"892db454-c128-42fc-aff1-c028f80475d1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49138","PortSpecifier":{"PortValue":49138}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":789315264},"http":{"id":"892db454-c128-42fc-aff1-c028f80475d1","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-OUVjfJeROthppvyv_JkPNmBNQeyqLAdoCuG6Rc24XU30s6Cs2kvJvlq5bOKx"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-OUVjfJeROthppvyv_JkPNmBNQeyqLAdoCuG6Rc24XU30s6Cs2kvJvlq5bOKx\"}"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"892db454-c128-42fc-aff1-c028f80475d1","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"892db454-c128-42fc-aff1-c028f80475d1","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"892db454-c128-42fc-aff1-c028f80475d1","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"892db454-c128-42fc-aff1-c028f80475d1","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":795490276},"http":{"id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-OUVjfJeROthppvyv_JkPNmBNQeyqLAdoCuG6Rc24XU30s6Cs2kvJvlq5bOKx"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-OUVjfJeROthppvyv_JkPNmBNQeyqLAdoCuG6Rc24XU30s6Cs2kvJvlq5bOKx\"}"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-OUVjfJeROthppvyv_JkPNmBNQeyqLAdoCuG6Rc24XU30s6Cs2kvJvlq5bOKx","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.45","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.45","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"646a4054-d03a-43e1-a6d4-2dc82f45977e"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":795490276,"seconds":1781513949},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.45:52142","port":52142}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"227fdd0a-ad51-4771-9c02-6ee71651a578","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"646a4054-d03a-43e1-a6d4-2dc82f45977e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49152","PortSpecifier":{"PortValue":49152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49152","PortSpecifier":{"PortValue":49152}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":949826994},"http":{"id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7199de98-95ae-ec3a-6773-5c8ff6b63434","preferred_username":"alice_lead","scope":"profile email","sid":"9se4-oSw9wEisnMwAkKS1QGa","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514249,"groups":["Engineering","Project-Alpha"],"iat":1781513949,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7199de98-95ae-ec3a-6773-5c8ff6b63434","preferred_username":"alice_lead","scope":"profile email","sid":"9se4-oSw9wEisnMwAkKS1QGa","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b7f0150-060a-42f1-b49d-be20fc1e6bc4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49168","PortSpecifier":{"PortValue":49168}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49168","PortSpecifier":{"PortValue":49168}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513949,"nanos":978185378},"http":{"id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05\"}"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"77ef7d89-c087-4ed5-8b8c-5fa996257caa","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49184","PortSpecifier":{"PortValue":49184}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"29c6ff62-8860-49f8-968d-b372dd50c02b","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49184","PortSpecifier":{"PortValue":49184}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":6061344},"http":{"id":"29c6ff62-8860-49f8-968d-b372dd50c02b","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"29c6ff62-8860-49f8-968d-b372dd50c02b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":12231706},"http":{"id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1f1QL6yaA3kM9dWEj_2JUj9bRMVDSZ2SY4GtvwKPPn5j7pNXTaMv5Ix80Cv05","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.45","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.45","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":12231706,"seconds":1781513950},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.45:52142","port":52142}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"6ffd467f-8ae7-4735-86d9-a6f2865a9c9d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4f56b55b-7c6a-431b-bb2a-c21a066f6de2","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49192","PortSpecifier":{"PortValue":49192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3447ab6e-47f6-477a-a017-3d08aa554f73","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49192","PortSpecifier":{"PortValue":49192}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":161832740},"http":{"id":"3447ab6e-47f6-477a-a017-3d08aa554f73","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514250,"groups":["Engineering","Project-Alpha"],"iat":1781513950,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:acf6a87f-4f69-76f9-9926-e4d5b755bf9f","preferred_username":"alice_lead","scope":"profile email","sid":"J_5MkMzh41W3_JWzPoejItZB","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514250,"groups":["Engineering","Project-Alpha"],"iat":1781513950,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:acf6a87f-4f69-76f9-9926-e4d5b755bf9f","preferred_username":"alice_lead","scope":"profile email","sid":"J_5MkMzh41W3_JWzPoejItZB","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3447ab6e-47f6-477a-a017-3d08aa554f73","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49194","PortSpecifier":{"PortValue":49194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49194","PortSpecifier":{"PortValue":49194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":192285197},"http":{"id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d3ddcd5a-d6b6-46a2-afa3-7eb5a2f77305","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":198539879},"http":{"id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.45","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.45","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":198539879,"seconds":1781513950},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.45:52142","port":52142}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"45314d96-fac5-4c3c-b8be-cf8ad0cce98f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d6b6b9f3-5f60-42d9-99e5-65a1964f6ee4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49196","PortSpecifier":{"PortValue":49196}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ff75caaf-4152-404c-85a1-c76875fa351e","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49196","PortSpecifier":{"PortValue":49196}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":228946885},"http":{"id":"ff75caaf-4152-404c-85a1-c76875fa351e","method":"GET","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff75caaf-4152-404c-85a1-c76875fa351e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2d958f8f-d379-4958-988c-ce924e8ec237","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.45:52142","PortSpecifier":{"PortValue":52142}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":234524746},"http":{"id":"2d958f8f-d379-4958-988c-ce924e8ec237","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-18m9NrwCmJ0jI1jZQ_YV24MqHXnQ5LzRkA09D19bkyZ8o4HPdXttGQwQvfi8B","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.45","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTViYmZ3CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.132.0.39~maas-default-gateway-openshift-default-8559cd5744-5bbfw.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.45","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"2d958f8f-d379-4958-988c-ce924e8ec237"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"2d958f8f-d379-4958-988c-ce924e8ec237","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":234524746,"seconds":1781513950},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.45:52142","port":52142}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"45314d96-fac5-4c3c-b8be-cf8ad0cce98f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d958f8f-d379-4958-988c-ce924e8ec237","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49200","PortSpecifier":{"PortValue":49200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.13:49200","PortSpecifier":{"PortValue":49200}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.39:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781513950,"nanos":395840722},"http":{"id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","method":"POST","headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514250,"groups":["Engineering","Project-Alpha"],"iat":1781513950,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0be5509a-a1b4-0802-13a5-e6c1919187e3","preferred_username":"alice_lead","scope":"profile email","sid":"QxCo_uegvqKCku4bonnNQiSK","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781514250,"groups":["Engineering","Project-Alpha"],"iat":1781513950,"iss":"https://keycloak.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0be5509a-a1b4-0802-13a5-e6c1919187e3","preferred_username":"alice_lead","scope":"profile email","sid":"QxCo_uegvqKCku4bonnNQiSK","sub":"74bd361c-2e2d-4347-8556-40d263fd1a28","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.39:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.25fbe405-33b9-4067-aa23-95cf0c2813ef.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"info","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:59:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e13d19a0-2057-4bb5-9935-0668eb6a6f72","authorized":true,"response":"OK"}