{"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T13:47:30Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/64a4fb0342f88ea589d83c2f8fa31545655652a27e95b54e34ff1aea7a23ce7a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T13:47:30Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58650","PortSpecifier":{"PortValue":58650}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d4809307-cef5-4402-9b9f-6625b0a702c2","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58650","PortSpecifier":{"PortValue":58650}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185685,"nanos":249788293},"http":{"id":"d4809307-cef5-4402-9b9f-6625b0a702c2","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Engineering","Project-Alpha"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f4f32370-6863-d401-bfc4-1b48ec086949","preferred_username":"alice_lead","scope":"profile email","sid":"qssBSzT6u1nfpWw9fVxtSvDo","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Engineering","Project-Alpha"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f4f32370-6863-d401-bfc4-1b48ec086949","preferred_username":"alice_lead","scope":"profile email","sid":"qssBSzT6u1nfpWw9fVxtSvDo","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d4809307-cef5-4402-9b9f-6625b0a702c2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58664","PortSpecifier":{"PortValue":58664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58664","PortSpecifier":{"PortValue":58664}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185685,"nanos":352617712},"http":{"id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e4fda04-5de9-4d27-bef9-fbec92bbf140","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58668","PortSpecifier":{"PortValue":58668}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58668","PortSpecifier":{"PortValue":58668}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185685,"nanos":407137522},"http":{"id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.11","x-forwarded-host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"09ae4ea3-bdaa-459a-957e-f21aa5399130"},"path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"09ae4ea3-bdaa-459a-957e-f21aa5399130","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58680","PortSpecifier":{"PortValue":58680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58680","PortSpecifier":{"PortValue":58680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185685,"nanos":438810812},"http":{"id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.132.0.11","x-forwarded-host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8"},"path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"metadata_context":{}}} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2c4d196-a7ea-41df-8fd5-0a326445bdd8","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58696","PortSpecifier":{"PortValue":58696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58696","PortSpecifier":{"PortValue":58696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185685,"nanos":802694095},"http":{"id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Site-Reliability"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3fb63105-2fd7-7cef-e0f1-74a55c42b326","preferred_username":"bob_sre","scope":"profile email","sid":"NWdWGHa7dkfo6o8EYRyESlu3","sub":"7906df04-879d-4d5a-a8b4-e3fd29efabc8","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Site-Reliability"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3fb63105-2fd7-7cef-e0f1-74a55c42b326","preferred_username":"bob_sre","scope":"profile email","sid":"NWdWGHa7dkfo6o8EYRyESlu3","sub":"7906df04-879d-4d5a-a8b4-e3fd29efabc8","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:05Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"92a58345-3e28-4eb8-ac5e-5d7c1fbfd529","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58708","PortSpecifier":{"PortValue":58708}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58708","PortSpecifier":{"PortValue":58708}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":14647217},"http":{"id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Engineering","Project-Alpha"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:77019478-a7df-708c-4a58-9c20c231da03","preferred_username":"alice_lead","scope":"profile email","sid":"iGgFZkYZsg3Ew7wK7OfxkaKa","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185985,"groups":["Engineering","Project-Alpha"],"iat":1781185685,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:77019478-a7df-708c-4a58-9c20c231da03","preferred_username":"alice_lead","scope":"profile email","sid":"iGgFZkYZsg3Ew7wK7OfxkaKa","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b280a4c7-0952-474e-aa30-383a2c5b01f5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58714","PortSpecifier":{"PortValue":58714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58714","PortSpecifier":{"PortValue":58714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":47852113},"http":{"id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz\"}"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51e18006-35f9-4a83-b0c2-b84e13e775fd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":54711287},"http":{"id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz\"}"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":54711287,"seconds":1781185686},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.37:40498","port":40498}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"8dea0f21-da8f-49b4-ac6d-17d80dfc1e7b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e57f3596-6c32-4152-9f9f-f1cee19d7bc7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58728","PortSpecifier":{"PortValue":58728}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58728","PortSpecifier":{"PortValue":58728}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":86104616},"http":{"id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-4mpvI2GbB93pLnFX_kQ7Z9pHSBewB5Qe4mrvw0ehE3JljDYNb3LUwQRwGugz\"}"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"8dea0f21-da8f-49b4-ac6d-17d80dfc1e7b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3299e46-a8ca-4edd-98eb-df4a564503ef","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58734","PortSpecifier":{"PortValue":58734}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4ef4d756-89b0-4caa-90ee-8547342456bc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58734","PortSpecifier":{"PortValue":58734}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":185296042},"http":{"id":"4ef4d756-89b0-4caa-90ee-8547342456bc","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185986,"groups":["Engineering","Project-Alpha"],"iat":1781185686,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da246ca-2a3f-f7e9-d692-fdc0cb19efce","preferred_username":"alice_lead","scope":"profile email","sid":"Y2gOESOgptUWlBeGGcWfVUH4","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185986,"groups":["Engineering","Project-Alpha"],"iat":1781185686,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da246ca-2a3f-f7e9-d692-fdc0cb19efce","preferred_username":"alice_lead","scope":"profile email","sid":"Y2gOESOgptUWlBeGGcWfVUH4","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ef4d756-89b0-4caa-90ee-8547342456bc","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58744","PortSpecifier":{"PortValue":58744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","method":"DELETE","path":"/maas-api/v1/api-keys/8aceb98f-982b-4742-a83f-9b2099f04842","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58744","PortSpecifier":{"PortValue":58744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185686,"nanos":212377943},"http":{"id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","method":"DELETE","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8aceb98f-982b-4742-a83f-9b2099f04842",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185986,"groups":["Engineering","Project-Alpha"],"iat":1781185686,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da246ca-2a3f-f7e9-d692-fdc0cb19efce","preferred_username":"alice_lead","scope":"profile email","sid":"Y2gOESOgptUWlBeGGcWfVUH4","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185986,"groups":["Engineering","Project-Alpha"],"iat":1781185686,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da246ca-2a3f-f7e9-d692-fdc0cb19efce","preferred_username":"alice_lead","scope":"profile email","sid":"Y2gOESOgptUWlBeGGcWfVUH4","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/8aceb98f-982b-4742-a83f-9b2099f04842",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d8ed93cf-f196-4747-8fd0-4b09a32eb4d0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58752","PortSpecifier":{"PortValue":58752}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58752","PortSpecifier":{"PortValue":58752}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":245640088},"http":{"id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-PcMxJ0HDmJTJXEPO_R038exUMRDEd3cuPU4rkl9mbhmG0X73gILKEPo2fd5L"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-PcMxJ0HDmJTJXEPO_R038exUMRDEd3cuPU4rkl9mbhmG0X73gILKEPo2fd5L\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a76df20b-bfcb-4f93-ba3a-37c0e7d809a8","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58754","PortSpecifier":{"PortValue":58754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58754","PortSpecifier":{"PortValue":58754}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":366434477},"http":{"id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9c70edfa-5d2d-4db5-9e41-872c7f69dd6f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58766","PortSpecifier":{"PortValue":58766}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58766","PortSpecifier":{"PortValue":58766}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":533224790},"http":{"id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e0706a16-72ff-af9c-85d1-689d1bf05322","preferred_username":"alice_lead","scope":"profile email","sid":"xC0vM6gqbXPK7-lRSfSvs-8Z","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e0706a16-72ff-af9c-85d1-689d1bf05322","preferred_username":"alice_lead","scope":"profile email","sid":"xC0vM6gqbXPK7-lRSfSvs-8Z","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ff4f16ed-d571-402b-baef-5ce6cdc3ebeb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58782","PortSpecifier":{"PortValue":58782}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"87ddf8b4-ae8e-4bfb-881a-948814967734","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58782","PortSpecifier":{"PortValue":58782}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":565029106},"http":{"id":"87ddf8b4-ae8e-4bfb-881a-948814967734","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Site-Reliability"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:95820448-a28e-2283-cc2f-48b7abbd4003","preferred_username":"bob_sre","scope":"profile email","sid":"fXDlRTTXGvU2DdE53BWN35yx","sub":"7906df04-879d-4d5a-a8b4-e3fd29efabc8","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Site-Reliability"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:95820448-a28e-2283-cc2f-48b7abbd4003","preferred_username":"bob_sre","scope":"profile email","sid":"fXDlRTTXGvU2DdE53BWN35yx","sub":"7906df04-879d-4d5a-a8b4-e3fd29efabc8","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"87ddf8b4-ae8e-4bfb-881a-948814967734","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58786","PortSpecifier":{"PortValue":58786}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"20c49025-c13e-48a8-ab19-ea71141050f6","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58786","PortSpecifier":{"PortValue":58786}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":657350775},"http":{"id":"20c49025-c13e-48a8-ab19-ea71141050f6","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"20c49025-c13e-48a8-ab19-ea71141050f6","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58788","PortSpecifier":{"PortValue":58788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","method":"DELETE","path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58788","PortSpecifier":{"PortValue":58788}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":683316203},"http":{"id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","method":"DELETE","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dca657c9-e281-4047-bcb3-110dfc44b8c7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58796","PortSpecifier":{"PortValue":58796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","method":"DELETE","path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58796","PortSpecifier":{"PortValue":58796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":708856009},"http":{"id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","method":"DELETE","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d2600e32-af43-e0c0-d2cc-29a7eef8b993","preferred_username":"alice_lead","scope":"profile email","sid":"0xXTJdvwDHGzUE1Q9X2JEToQ","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/29d13d9a-c964-49e8-86c5-42bd204773e4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"965ea9ac-c3c2-48f1-b4d5-a62f90d8c210","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58800","PortSpecifier":{"PortValue":58800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58800","PortSpecifier":{"PortValue":58800}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":794542627},"http":{"id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aab8fcf9-3b4f-7624-8f5e-86dede2127a2","preferred_username":"alice_lead","scope":"profile email","sid":"GkGr2_b1fNGv3SLInpu7I991","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:aab8fcf9-3b4f-7624-8f5e-86dede2127a2","preferred_username":"alice_lead","scope":"profile email","sid":"GkGr2_b1fNGv3SLInpu7I991","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d0d2226-6d8a-4a0e-8664-126c5699cb36","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58810","PortSpecifier":{"PortValue":58810}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9123f13d-a207-478d-bf77-edddd711cbbe","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58810","PortSpecifier":{"PortValue":58810}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":822588428},"http":{"id":"9123f13d-a207-478d-bf77-edddd711cbbe","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-7OuIICjmPi9th6Mz_tEDvQRxbHr7TKcDo1fPSWNrU0YQtv8hHa6lAdEUTzww"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-7OuIICjmPi9th6Mz_tEDvQRxbHr7TKcDo1fPSWNrU0YQtv8hHa6lAdEUTzww\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9123f13d-a207-478d-bf77-edddd711cbbe","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":829817574},"http":{"id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-7OuIICjmPi9th6Mz_tEDvQRxbHr7TKcDo1fPSWNrU0YQtv8hHa6lAdEUTzww"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-7OuIICjmPi9th6Mz_tEDvQRxbHr7TKcDo1fPSWNrU0YQtv8hHa6lAdEUTzww\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-7OuIICjmPi9th6Mz_tEDvQRxbHr7TKcDo1fPSWNrU0YQtv8hHa6lAdEUTzww","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":829817574,"seconds":1781185689},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.37:40498","port":40498}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"da431bb6-e793-48ad-a291-ca9fd44d47a3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"41590ea6-d6c4-438f-9d31-e4f566a6b42e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58816","PortSpecifier":{"PortValue":58816}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58816","PortSpecifier":{"PortValue":58816}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":929449307},"http":{"id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ff95f3a5-696e-db5f-45f1-43d7f77361ef","preferred_username":"alice_lead","scope":"profile email","sid":"6_9-IOZwSs9CZaq9of8ZMrYh","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185989,"groups":["Engineering","Project-Alpha"],"iat":1781185689,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ff95f3a5-696e-db5f-45f1-43d7f77361ef","preferred_username":"alice_lead","scope":"profile email","sid":"6_9-IOZwSs9CZaq9of8ZMrYh","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed6f6717-3b0b-425f-bde0-d9ba5d7acb2a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec17f7de-fba4-4a63-b134-4080077601df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58818","PortSpecifier":{"PortValue":58818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ec17f7de-fba4-4a63-b134-4080077601df","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec17f7de-fba4-4a63-b134-4080077601df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58818","PortSpecifier":{"PortValue":58818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":957091417},"http":{"id":"ec17f7de-fba4-4a63-b134-4080077601df","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ec17f7de-fba4-4a63-b134-4080077601df","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ec17f7de-fba4-4a63-b134-4080077601df","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec17f7de-fba4-4a63-b134-4080077601df","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec17f7de-fba4-4a63-b134-4080077601df","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58820","PortSpecifier":{"PortValue":58820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58820","PortSpecifier":{"PortValue":58820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":982720663},"http":{"id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c549e5d-4f2c-42de-94ce-3ba3d86bbb80","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185689,"nanos":989659235},"http":{"id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1W18aYJ3gE4tFqF7B_SJQmAQjCQRWcV6mcK88acPbMgG6yp62jNrLvYXzK0lA","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"85dd876f-e74a-4995-99e8-b0efe7b51c71"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":989659235,"seconds":1781185689},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.37:40498","port":40498}}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"99050336-d6b4-4c17-a9a2-5750fe3bb613","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:09Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"85dd876f-e74a-4995-99e8-b0efe7b51c71","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58832","PortSpecifier":{"PortValue":58832}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58832","PortSpecifier":{"PortValue":58832}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":82555381},"http":{"id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185990,"groups":["Engineering","Project-Alpha"],"iat":1781185690,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ddb5dc6a-1d13-f1d1-fbb5-a3bb27814088","preferred_username":"alice_lead","scope":"profile email","sid":"fPFLDqKlbCHJX-_cqax0NeRS","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185990,"groups":["Engineering","Project-Alpha"],"iat":1781185690,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ddb5dc6a-1d13-f1d1-fbb5-a3bb27814088","preferred_username":"alice_lead","scope":"profile email","sid":"fPFLDqKlbCHJX-_cqax0NeRS","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51ef1e22-3ead-4cc4-9ecc-26959e4696c2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":107699559},"http":{"id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"58b1b8ce-5023-408b-852f-0c35dc8f0e0f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":114857303},"http":{"id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"5cb9416f-0287-467b-826d-a3b7d1dedc95"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":114857303,"seconds":1781185690},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.37:40498","port":40498}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c5d2ce06-8389-485d-a09b-03c73c890d4b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5cb9416f-0287-467b-826d-a3b7d1dedc95","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58848","PortSpecifier":{"PortValue":58848}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58848","PortSpecifier":{"PortValue":58848}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":141864805},"http":{"id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","method":"GET","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5376fb9-496c-41b2-9e26-a40f6bfeaeee","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.37:40498","PortSpecifier":{"PortValue":40498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":148589534},"http":{"id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-mtlxIQWwjOsUFjm9_V2vxGgXfRSR11QIsGfSrtdJneT3qNDdWw3zb2UjcnI9","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.132.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtNHF6d3YKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.32~maas-default-gateway-openshift-default-687ff6996-4qzwv.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.132.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":148589534,"seconds":1781185690},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.132.0.37:40498","port":40498}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c5d2ce06-8389-485d-a09b-03c73c890d4b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"94a6f150-5ad3-4d14-949d-2c4611b9eeb0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58852","PortSpecifier":{"PortValue":58852}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"eb3e1241-e89d-4646-92ab-e7eb70618397","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:58852","PortSpecifier":{"PortValue":58852}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781185690,"nanos":248265562},"http":{"id":"eb3e1241-e89d-4646-92ab-e7eb70618397","method":"POST","headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185990,"groups":["Engineering","Project-Alpha"],"iat":1781185690,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ba85a92d-d78e-f478-305e-53deb452e432","preferred_username":"alice_lead","scope":"profile email","sid":"RdzvWuDoHt9ZCdajffaEu6hP","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781185990,"groups":["Engineering","Project-Alpha"],"iat":1781185690,"iss":"https://keycloak.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ba85a92d-d78e-f478-305e-53deb452e432","preferred_username":"alice_lead","scope":"profile email","sid":"RdzvWuDoHt9ZCdajffaEu6hP","sub":"d6d9c6e2-b9f4-418b-809f-b46323b28c1a","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.af660e2c-6d22-45f8-ad55-33c41c900114.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T13:48:10Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb3e1241-e89d-4646-92ab-e7eb70618397","authorized":true,"response":"OK"}