{"level":"info","ts":"2026-06-14T23:25:51Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-14T23:25:51Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:51Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-14T23:25:52Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-14T23:25:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37870","PortSpecifier":{"PortValue":37870}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37870","PortSpecifier":{"PortValue":37870}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":20541732},"http":{"id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479877,"groups":["Engineering","Project-Alpha"],"iat":1781479577,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e1a9d0c2-7ead-08b2-bb9a-3b56062d45cb","preferred_username":"alice_lead","scope":"profile email","sid":"fB5-EjoDPkLvdT1WvlkB2aHx","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479877,"groups":["Engineering","Project-Alpha"],"iat":1781479577,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e1a9d0c2-7ead-08b2-bb9a-3b56062d45cb","preferred_username":"alice_lead","scope":"profile email","sid":"fB5-EjoDPkLvdT1WvlkB2aHx","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline","msg":"skipping config","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"reason":"context canceled"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline","msg":"skipping config","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** canceled"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline","msg":"skipping config","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** canceled"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline","msg":"skipping config","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** canceled"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ee3e4685-2d9b-4dea-a6f3-8c93e8afcb6d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37880","PortSpecifier":{"PortValue":37880}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"46980168-ef3f-46ae-9a5e-56745160e77f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37880","PortSpecifier":{"PortValue":37880}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":119334333},"http":{"id":"46980168-ef3f-46ae-9a5e-56745160e77f","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46980168-ef3f-46ae-9a5e-56745160e77f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37888","PortSpecifier":{"PortValue":37888}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37888","PortSpecifier":{"PortValue":37888}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":158829945},"http":{"id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.133.0.12","x-forwarded-host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48"},"path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"636dac4e-4cc7-4a73-9406-c6eb2389eb48","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"76f92ed5-753f-4dc5-a545-be566df5100b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37904","PortSpecifier":{"PortValue":37904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"76f92ed5-753f-4dc5-a545-be566df5100b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"76f92ed5-753f-4dc5-a545-be566df5100b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37904","PortSpecifier":{"PortValue":37904}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":183393194},"http":{"id":"76f92ed5-753f-4dc5-a545-be566df5100b","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=34.228.250.194;host=maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.133.0.12","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"34.228.250.194,10.133.0.12","x-forwarded-host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"76f92ed5-753f-4dc5-a545-be566df5100b"},"path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"76f92ed5-753f-4dc5-a545-be566df5100b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"76f92ed5-753f-4dc5-a545-be566df5100b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37908","PortSpecifier":{"PortValue":37908}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37908","PortSpecifier":{"PortValue":37908}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":574993727},"http":{"id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Site-Reliability"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:747fa142-7a0d-2b74-f423-d2469bbd8133","preferred_username":"bob_sre","scope":"profile email","sid":"vn4cPgNdKNH7H4ANrA4dCI1G","sub":"f2040098-88b1-443b-b5e4-44104fa30b95","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Site-Reliability"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:747fa142-7a0d-2b74-f423-d2469bbd8133","preferred_username":"bob_sre","scope":"profile email","sid":"vn4cPgNdKNH7H4ANrA4dCI1G","sub":"f2040098-88b1-443b-b5e4-44104fa30b95","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d867b692-84ca-4c7e-ac16-c879ca1c91fa","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37914","PortSpecifier":{"PortValue":37914}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"da0e1957-af48-4ecc-a985-773ae6f17390","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37914","PortSpecifier":{"PortValue":37914}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":797398941},"http":{"id":"da0e1957-af48-4ecc-a985-773ae6f17390","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:58ccb0aa-0047-5915-b559-e48d20af3601","preferred_username":"alice_lead","scope":"profile email","sid":"coNQXOiXvodOL-_JhG2dEAwV","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:58ccb0aa-0047-5915-b559-e48d20af3601","preferred_username":"alice_lead","scope":"profile email","sid":"coNQXOiXvodOL-_JhG2dEAwV","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"da0e1957-af48-4ecc-a985-773ae6f17390","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37926","PortSpecifier":{"PortValue":37926}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37926","PortSpecifier":{"PortValue":37926}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":823144852},"http":{"id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg\"}"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"afb320e7-316f-4b65-9dc2-60a8c3179a90","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:58796","PortSpecifier":{"PortValue":58796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"906bbc64-eda6-481b-9e11-125ca2a04c44","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:58796","PortSpecifier":{"PortValue":58796}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":838449775},"http":{"id":"906bbc64-eda6-481b-9e11-125ca2a04c44","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg\"}"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.48","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.48","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"906bbc64-eda6-481b-9e11-125ca2a04c44"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"906bbc64-eda6-481b-9e11-125ca2a04c44","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":838449775,"seconds":1781479578},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.48:58796","port":58796}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"43c71679-db43-41d2-8e9b-d5e69239943d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"906bbc64-eda6-481b-9e11-125ca2a04c44","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37942","PortSpecifier":{"PortValue":37942}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37942","PortSpecifier":{"PortValue":37942}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":870559276},"http":{"id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-13bxOZEJPNa850qb1_ksauzPedb5SI25mP18i4T46bz8Mwu38bnSdNo8BSnwg\"}"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"43c71679-db43-41d2-8e9b-d5e69239943d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0534dd85-14a0-46ef-ba7a-84bb906a7063","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37956","PortSpecifier":{"PortValue":37956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4ae406f4-8cce-44ca-b043-518d73571f7d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37956","PortSpecifier":{"PortValue":37956}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479578,"nanos":955127795},"http":{"id":"4ae406f4-8cce-44ca-b043-518d73571f7d","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab38d262-1275-3a51-45cd-01bc7da5cd25","preferred_username":"alice_lead","scope":"profile email","sid":"lmJyNVRL35qPJRHD0jS3UzXf","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab38d262-1275-3a51-45cd-01bc7da5cd25","preferred_username":"alice_lead","scope":"profile email","sid":"lmJyNVRL35qPJRHD0jS3UzXf","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:18Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ae406f4-8cce-44ca-b043-518d73571f7d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e408deef-d44e-47ca-b054-54ce7a398976","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37958","PortSpecifier":{"PortValue":37958}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e408deef-d44e-47ca-b054-54ce7a398976","method":"DELETE","path":"/maas-api/v1/api-keys/3138b628-d18d-4daf-9f7f-d8977ec193ba","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e408deef-d44e-47ca-b054-54ce7a398976","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37958","PortSpecifier":{"PortValue":37958}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479579,"nanos":2584769},"http":{"id":"e408deef-d44e-47ca-b054-54ce7a398976","method":"DELETE","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/3138b628-d18d-4daf-9f7f-d8977ec193ba",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab38d262-1275-3a51-45cd-01bc7da5cd25","preferred_username":"alice_lead","scope":"profile email","sid":"lmJyNVRL35qPJRHD0jS3UzXf","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e408deef-d44e-47ca-b054-54ce7a398976","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479878,"groups":["Engineering","Project-Alpha"],"iat":1781479578,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab38d262-1275-3a51-45cd-01bc7da5cd25","preferred_username":"alice_lead","scope":"profile email","sid":"lmJyNVRL35qPJRHD0jS3UzXf","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/3138b628-d18d-4daf-9f7f-d8977ec193ba",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e408deef-d44e-47ca-b054-54ce7a398976","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e408deef-d44e-47ca-b054-54ce7a398976","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e408deef-d44e-47ca-b054-54ce7a398976","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37966","PortSpecifier":{"PortValue":37966}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0f1565a2-573b-485d-8698-652c99e3f85f","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37966","PortSpecifier":{"PortValue":37966}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":33174374},"http":{"id":"0f1565a2-573b-485d-8698-652c99e3f85f","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ryOgOC9I1kmXQPgZ_YLK8yyJWr9YcGnAMxbCGdoCv9e6TBN4aXZP63BJeUrc"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ryOgOC9I1kmXQPgZ_YLK8yyJWr9YcGnAMxbCGdoCv9e6TBN4aXZP63BJeUrc\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0f1565a2-573b-485d-8698-652c99e3f85f","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"x-ext-auth-reason":""},{"content-type":"text/plain"}]}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37968","PortSpecifier":{"PortValue":37968}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37968","PortSpecifier":{"PortValue":37968}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":162442993},"http":{"id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0ab78397-4fcf-456c-acbe-a7f75a592d9c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37984","PortSpecifier":{"PortValue":37984}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37984","PortSpecifier":{"PortValue":37984}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":323211267},"http":{"id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:876a6561-6e4c-e1f8-b817-f473fae6a764","preferred_username":"alice_lead","scope":"profile email","sid":"Ro53ZmdFmHhFCKgDaVE-4Pw7","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:876a6561-6e4c-e1f8-b817-f473fae6a764","preferred_username":"alice_lead","scope":"profile email","sid":"Ro53ZmdFmHhFCKgDaVE-4Pw7","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bd8912e5-7ee5-42ee-9233-3cf9752d9607","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37996","PortSpecifier":{"PortValue":37996}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37996","PortSpecifier":{"PortValue":37996}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":352156845},"http":{"id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Site-Reliability"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:77834b25-87d2-96d1-0e60-2a8bbfbc6f9d","preferred_username":"bob_sre","scope":"profile email","sid":"Qgae04W_j6F0XSaUaxOpZ6q8","sub":"f2040098-88b1-443b-b5e4-44104fa30b95","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Site-Reliability"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:77834b25-87d2-96d1-0e60-2a8bbfbc6f9d","preferred_username":"bob_sre","scope":"profile email","sid":"Qgae04W_j6F0XSaUaxOpZ6q8","sub":"f2040098-88b1-443b-b5e4-44104fa30b95","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cfb9adaa-cc24-4e91-8a39-a3f2c1c9412d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37998","PortSpecifier":{"PortValue":37998}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3133d046-2281-4c62-8d89-c1f91e782ddd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:37998","PortSpecifier":{"PortValue":37998}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":459091286},"http":{"id":"3133d046-2281-4c62-8d89-c1f91e782ddd","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3133d046-2281-4c62-8d89-c1f91e782ddd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38006","PortSpecifier":{"PortValue":38006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"abcd998a-2a70-4f59-93da-35c16262c40b","method":"DELETE","path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38006","PortSpecifier":{"PortValue":38006}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":482783099},"http":{"id":"abcd998a-2a70-4f59-93da-35c16262c40b","method":"DELETE","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"abcd998a-2a70-4f59-93da-35c16262c40b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38012","PortSpecifier":{"PortValue":38012}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","method":"DELETE","path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38012","PortSpecifier":{"PortValue":38012}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":510199325},"http":{"id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","method":"DELETE","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:40aa94ab-e271-459e-7098-fe77b5e794a7","preferred_username":"alice_lead","scope":"profile email","sid":"wX1jiSB_kVEBPTOrUAYPsqfs","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/adbaed0e-ed26-4f00-b280-eaa8af1f84dc",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"605f62dd-ba5e-4c1b-9f0f-d8fbdece7525","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38026","PortSpecifier":{"PortValue":38026}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f8b0b647-4584-47e4-9426-d54437e28a21","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38026","PortSpecifier":{"PortValue":38026}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":593341954},"http":{"id":"f8b0b647-4584-47e4-9426-d54437e28a21","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bb97139a-00d0-457d-f1bb-4cb6a74b5bd5","preferred_username":"alice_lead","scope":"profile email","sid":"AAYk7rxKcPeUH9HAshtguE1q","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:bb97139a-00d0-457d-f1bb-4cb6a74b5bd5","preferred_username":"alice_lead","scope":"profile email","sid":"AAYk7rxKcPeUH9HAshtguE1q","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f8b0b647-4584-47e4-9426-d54437e28a21","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38034","PortSpecifier":{"PortValue":38034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8d54e884-5e7c-40c9-9447-57e487a22166","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38034","PortSpecifier":{"PortValue":38034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":617949033},"http":{"id":"8d54e884-5e7c-40c9-9447-57e487a22166","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1SDSOqQKb4MfDHCy9_EsB3S8pNTLFZ8rlTogikYW1jyYnbZqgdgpZLRClw6aI"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1SDSOqQKb4MfDHCy9_EsB3S8pNTLFZ8rlTogikYW1jyYnbZqgdgpZLRClw6aI\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d54e884-5e7c-40c9-9447-57e487a22166","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":631660764},"http":{"id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1SDSOqQKb4MfDHCy9_EsB3S8pNTLFZ8rlTogikYW1jyYnbZqgdgpZLRClw6aI"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1SDSOqQKb4MfDHCy9_EsB3S8pNTLFZ8rlTogikYW1jyYnbZqgdgpZLRClw6aI\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1SDSOqQKb4MfDHCy9_EsB3S8pNTLFZ8rlTogikYW1jyYnbZqgdgpZLRClw6aI","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.48","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.48","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":631660764,"seconds":1781479582},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.48:37648","port":37648}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0e56affc-8f7c-4351-99db-233ca5fae0cf","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce6869d7-72f0-40ba-ac3d-641854ac1a92","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38038","PortSpecifier":{"PortValue":38038}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38038","PortSpecifier":{"PortValue":38038}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":723251332},"http":{"id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fcb56fd1-c0b8-b1d6-13f9-e7fa34fb35c4","preferred_username":"alice_lead","scope":"profile email","sid":"tUeCpNClU1e1t3dZhoJJFfFE","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fcb56fd1-c0b8-b1d6-13f9-e7fa34fb35c4","preferred_username":"alice_lead","scope":"profile email","sid":"tUeCpNClU1e1t3dZhoJJFfFE","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b42dc567-c9b8-493b-a853-ad1b61b49c0f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38052","PortSpecifier":{"PortValue":38052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38052","PortSpecifier":{"PortValue":38052}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":748395952},"http":{"id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8fccf2ef-9b54-4e42-9cd1-302e8aad52fa","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38068","PortSpecifier":{"PortValue":38068}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38068","PortSpecifier":{"PortValue":38068}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":770860179},"http":{"id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2a9a115-775f-46ba-91af-a74bd36c21bc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":776967946},"http":{"id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1elxVPrtdkgD9UoxK_La02NdJWg9Q32T3eafwka0n7lSgDsiRhbbJSqwO6W3L","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.48","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.48","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":776967946,"seconds":1781479582},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.48:37648","port":37648}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"0648445f-c38d-452a-aa58-dca088d54476","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d229e8aa-9dba-44c4-9390-52a26a6a4abd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38082","PortSpecifier":{"PortValue":38082}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38082","PortSpecifier":{"PortValue":38082}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":871271147},"http":{"id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:af72e95b-8ddb-b6fb-063b-77a0ac91f471","preferred_username":"alice_lead","scope":"profile email","sid":"86igHqhL3Vh0lquD5Hty6e3T","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:af72e95b-8ddb-b6fb-063b-77a0ac91f471","preferred_username":"alice_lead","scope":"profile email","sid":"86igHqhL3Vh0lquD5Hty6e3T","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5d5d06aa-13e8-4635-8281-dd85f8c8eb61","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38088","PortSpecifier":{"PortValue":38088}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38088","PortSpecifier":{"PortValue":38088}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":897107779},"http":{"id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"20c26b6d-15ca-4c07-bcb8-80f08ee49332","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":903165306},"http":{"id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.48","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.48","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":903165306,"seconds":1781479582},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.48:37648","port":37648}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"844aba8a-3b27-4e3d-b4c0-764b8218df48","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6c6440fb-17f6-40fd-8bcf-ddb62472c261","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"396efa10-314f-430c-8236-363d98401e6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38094","PortSpecifier":{"PortValue":38094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"396efa10-314f-430c-8236-363d98401e6d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"396efa10-314f-430c-8236-363d98401e6d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38094","PortSpecifier":{"PortValue":38094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":927602021},"http":{"id":"396efa10-314f-430c-8236-363d98401e6d","method":"GET","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"396efa10-314f-430c-8236-363d98401e6d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"396efa10-314f-430c-8236-363d98401e6d","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"396efa10-314f-430c-8236-363d98401e6d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"396efa10-314f-430c-8236-363d98401e6d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"396efa10-314f-430c-8236-363d98401e6d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.48:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479582,"nanos":933454290},"http":{"id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-fKvMXJt4LRkstKyG_BYqPSFgLn8rXbpynIyoAoPpl4AGIMvgBQ6FYp4AoVFJ","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.48","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtajR6YnIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-687ff6996-j4zbr.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.48","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":933454290,"seconds":1781479582},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.48:37648","port":37648}}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_info","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"844aba8a-3b27-4e3d-b4c0-764b8218df48","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e4eaf7fd-9f8c-4d27-b092-d4cb4a1018a8","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38098","PortSpecifier":{"PortValue":38098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"784308ad-5783-4d41-bf3d-f29ece76cd59","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.12:38098","PortSpecifier":{"PortValue":38098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781479583,"nanos":19449253},"http":{"id":"784308ad-5783-4d41-bf3d-f29ece76cd59","method":"POST","headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:090a45d3-a247-c35c-356b-34ac4b9bf693","preferred_username":"alice_lead","scope":"profile email","sid":"g2_m72Wp5aYxJDMUBF5z97y-","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781479882,"groups":["Engineering","Project-Alpha"],"iat":1781479582,"iss":"https://keycloak.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:090a45d3-a247-c35c-356b-34ac4b9bf693","preferred_username":"alice_lead","scope":"profile email","sid":"g2_m72Wp5aYxJDMUBF5z97y-","sub":"d5a76a70-b370-4260-92de-ea0452b6b3ff","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.84f784b9-290f-43f0-a84a-48ee690c14ab.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-14T23:26:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"784308ad-5783-4d41-bf3d-f29ece76cd59","authorized":true,"response":"OK"}