{"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:13:04Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-11T17:13:04Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38436","PortSpecifier":{"PortValue":38436}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38436","PortSpecifier":{"PortValue":38436}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198009,"nanos":820337857},"http":{"id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198309,"groups":["Engineering","Project-Alpha"],"iat":1781198009,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab06efed-1c17-1421-7fcf-7060ac7c2e69","preferred_username":"alice_lead","scope":"profile email","sid":"TAqmnOuZalkF7O_qUvh-frIh","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198309,"groups":["Engineering","Project-Alpha"],"iat":1781198009,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:ab06efed-1c17-1421-7fcf-7060ac7c2e69","preferred_username":"alice_lead","scope":"profile email","sid":"TAqmnOuZalkF7O_qUvh-frIh","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"79c18b62-c0e0-40a1-aa74-7384d9acec21","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38442","PortSpecifier":{"PortValue":38442}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38442","PortSpecifier":{"PortValue":38442}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198009,"nanos":937765229},"http":{"id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8d374127-14c6-4e47-8f68-feec5c57dbbf","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a49ab5f1-71f6-4189-a568-bf823392af48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38456","PortSpecifier":{"PortValue":38456}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a49ab5f1-71f6-4189-a568-bf823392af48","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a49ab5f1-71f6-4189-a568-bf823392af48","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38456","PortSpecifier":{"PortValue":38456}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198009,"nanos":980745223},"http":{"id":"a49ab5f1-71f6-4189-a568-bf823392af48","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.10","x-forwarded-host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"a49ab5f1-71f6-4189-a568-bf823392af48"},"path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a49ab5f1-71f6-4189-a568-bf823392af48","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a49ab5f1-71f6-4189-a568-bf823392af48","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:13:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a49ab5f1-71f6-4189-a568-bf823392af48","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38472","PortSpecifier":{"PortValue":38472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38472","PortSpecifier":{"PortValue":38472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":5817004},"http":{"id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.10","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.10","x-forwarded-host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"c2112ef9-551d-42dd-a3e9-6a572d291cde"},"path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2112ef9-551d-42dd-a3e9-6a572d291cde","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38478","PortSpecifier":{"PortValue":38478}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38478","PortSpecifier":{"PortValue":38478}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":389085927},"http":{"id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Site-Reliability"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9e59f64c-c8ef-4291-421f-457874795483","preferred_username":"bob_sre","scope":"profile email","sid":"VK8N90b_dzKVCGelD15cqRNi","sub":"bec684c0-5a0f-42d5-b2ea-f604e3196495","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Site-Reliability"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9e59f64c-c8ef-4291-421f-457874795483","preferred_username":"bob_sre","scope":"profile email","sid":"VK8N90b_dzKVCGelD15cqRNi","sub":"bec684c0-5a0f-42d5-b2ea-f604e3196495","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d9c4b049-5e48-488b-ba34-2905ce5a6832","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38492","PortSpecifier":{"PortValue":38492}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5369b290-c50b-4b41-a6d6-708048e8510c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38492","PortSpecifier":{"PortValue":38492}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":620064894},"http":{"id":"5369b290-c50b-4b41-a6d6-708048e8510c","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:faae2280-140e-9730-b3d7-2283017b16c5","preferred_username":"alice_lead","scope":"profile email","sid":"N7qAfquWJf99fQd0Kpydmmg2","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:faae2280-140e-9730-b3d7-2283017b16c5","preferred_username":"alice_lead","scope":"profile email","sid":"N7qAfquWJf99fQd0Kpydmmg2","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5369b290-c50b-4b41-a6d6-708048e8510c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38506","PortSpecifier":{"PortValue":38506}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e3dc1687-513d-4151-a376-a308c63bfbe7","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38506","PortSpecifier":{"PortValue":38506}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":652701151},"http":{"id":"e3dc1687-513d-4151-a376-a308c63bfbe7","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR\"}"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3dc1687-513d-4151-a376-a308c63bfbe7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1accc243-3e17-49f6-ae98-0f487e122b53","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":670052021},"http":{"id":"1accc243-3e17-49f6-ae98-0f487e122b53","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR\"}"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"1accc243-3e17-49f6-ae98-0f487e122b53"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"1accc243-3e17-49f6-ae98-0f487e122b53","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":670052021,"seconds":1781198010},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.55:51366","port":51366}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"8f5cc9dc-aa7a-4a2c-a7b8-a567483797cd","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1accc243-3e17-49f6-ae98-0f487e122b53","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38516","PortSpecifier":{"PortValue":38516}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38516","PortSpecifier":{"PortValue":38516}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":705596905},"http":{"id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-p6Ap12AyCWpHgBzN_Kpoh26KuNxm0DrLA0mwaf1gfaRFzwMr9TQBdJOgpxoR\"}"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"8f5cc9dc-aa7a-4a2c-a7b8-a567483797cd","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c01962b8-0e0f-4509-aa5a-3fa8be5f70be","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38518","PortSpecifier":{"PortValue":38518}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38518","PortSpecifier":{"PortValue":38518}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":807495412},"http":{"id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8887b33-14c0-5944-77c9-4554834edf2e","preferred_username":"alice_lead","scope":"profile email","sid":"n-qn4G7nam_KeVgAF6P6eb0f","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8887b33-14c0-5944-77c9-4554834edf2e","preferred_username":"alice_lead","scope":"profile email","sid":"n-qn4G7nam_KeVgAF6P6eb0f","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c3b75b97-b6e5-455f-abc7-28f42b9e2177","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b09f9d93-3443-42e0-b7b7-495629100246","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38532","PortSpecifier":{"PortValue":38532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b09f9d93-3443-42e0-b7b7-495629100246","method":"DELETE","path":"/maas-api/v1/api-keys/5209b771-7060-4c46-977b-d006230caff2","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b09f9d93-3443-42e0-b7b7-495629100246","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38532","PortSpecifier":{"PortValue":38532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198010,"nanos":841886792},"http":{"id":"b09f9d93-3443-42e0-b7b7-495629100246","method":"DELETE","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/5209b771-7060-4c46-977b-d006230caff2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8887b33-14c0-5944-77c9-4554834edf2e","preferred_username":"alice_lead","scope":"profile email","sid":"n-qn4G7nam_KeVgAF6P6eb0f","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b09f9d93-3443-42e0-b7b7-495629100246","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198310,"groups":["Engineering","Project-Alpha"],"iat":1781198010,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:e8887b33-14c0-5944-77c9-4554834edf2e","preferred_username":"alice_lead","scope":"profile email","sid":"n-qn4G7nam_KeVgAF6P6eb0f","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/5209b771-7060-4c46-977b-d006230caff2",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b09f9d93-3443-42e0-b7b7-495629100246","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b09f9d93-3443-42e0-b7b7-495629100246","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:30Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b09f9d93-3443-42e0-b7b7-495629100246","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38540","PortSpecifier":{"PortValue":38540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ec935cdb-bc64-493e-a86f-9971740fa477","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38540","PortSpecifier":{"PortValue":38540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198013,"nanos":878279466},"http":{"id":"ec935cdb-bc64-493e-a86f-9971740fa477","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-skbhhy2UoPyBxf3k_VgSh4yohcZQOB2jV0TD1hnhCobEpYQUtn270G4Rp9rk"} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-skbhhy2UoPyBxf3k_VgSh4yohcZQOB2jV0TD1hnhCobEpYQUtn270G4Rp9rk\"}"} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-11T17:13:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ec935cdb-bc64-493e-a86f-9971740fa477","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38550","PortSpecifier":{"PortValue":38550}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38550","PortSpecifier":{"PortValue":38550}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":19585791},"http":{"id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"47ca5354-f535-4395-8c0f-08bf5b03b58c","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38566","PortSpecifier":{"PortValue":38566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38566","PortSpecifier":{"PortValue":38566}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":188685475},"http":{"id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2d73f3db-8ced-c95a-a526-9b40e8625d4c","preferred_username":"alice_lead","scope":"profile email","sid":"JBHgSBqT2fwUIEjWmZSRLcp1","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2d73f3db-8ced-c95a-a526-9b40e8625d4c","preferred_username":"alice_lead","scope":"profile email","sid":"JBHgSBqT2fwUIEjWmZSRLcp1","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"16d6f06b-9838-4b3d-818f-3cc459d94a6c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38574","PortSpecifier":{"PortValue":38574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38574","PortSpecifier":{"PortValue":38574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":217403735},"http":{"id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Site-Reliability"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3b646397-afe1-2072-8234-2de293388fe5","preferred_username":"bob_sre","scope":"profile email","sid":"hDUJCo_0kVlL0Ba_SUW-Mu9p","sub":"bec684c0-5a0f-42d5-b2ea-f604e3196495","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Site-Reliability"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3b646397-afe1-2072-8234-2de293388fe5","preferred_username":"bob_sre","scope":"profile email","sid":"hDUJCo_0kVlL0Ba_SUW-Mu9p","sub":"bec684c0-5a0f-42d5-b2ea-f604e3196495","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"beb33920-d2dd-45ca-a4ee-138ee21becc4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38586","PortSpecifier":{"PortValue":38586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0e385067-192f-4431-92df-3d334cc9b0e5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38586","PortSpecifier":{"PortValue":38586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":314321435},"http":{"id":"0e385067-192f-4431-92df-3d334cc9b0e5","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e385067-192f-4431-92df-3d334cc9b0e5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38596","PortSpecifier":{"PortValue":38596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","method":"DELETE","path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38596","PortSpecifier":{"PortValue":38596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":345015053},"http":{"id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","method":"DELETE","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8e5f4b54-68e5-43cd-9fb9-0814b44e0dc0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38600","PortSpecifier":{"PortValue":38600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","method":"DELETE","path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38600","PortSpecifier":{"PortValue":38600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":375137706},"http":{"id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","method":"DELETE","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87e645bb-2390-c8eb-1f82-ad0a8a407414","preferred_username":"alice_lead","scope":"profile email","sid":"96CxZ-Xq97ILBMMLBclkgBg9","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c20d7742-88d3-4d28-b51e-8e81475662b4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"327269c8-49b4-4a02-823e-dcdfbfcb126a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38602","PortSpecifier":{"PortValue":38602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38602","PortSpecifier":{"PortValue":38602}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":464132932},"http":{"id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b91027cd-8aed-6351-02fb-b063fd620ddc","preferred_username":"alice_lead","scope":"profile email","sid":"lwV6BRbc9kHAjCNr3YHICrL-","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b91027cd-8aed-6351-02fb-b063fd620ddc","preferred_username":"alice_lead","scope":"profile email","sid":"lwV6BRbc9kHAjCNr3YHICrL-","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b54ea823-ebe8-4954-b525-ce7d1ed93436","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"913c61ef-8822-4b7f-a905-c1540681052c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38610","PortSpecifier":{"PortValue":38610}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"913c61ef-8822-4b7f-a905-c1540681052c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"913c61ef-8822-4b7f-a905-c1540681052c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38610","PortSpecifier":{"PortValue":38610}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":492677169},"http":{"id":"913c61ef-8822-4b7f-a905-c1540681052c","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1DUei6OjpSA1xHp15_6QmrMT5aiPRM8bVAuey1N9snjQvTsTbqlNXfKeiOXB0"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1DUei6OjpSA1xHp15_6QmrMT5aiPRM8bVAuey1N9snjQvTsTbqlNXfKeiOXB0\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"913c61ef-8822-4b7f-a905-c1540681052c","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"913c61ef-8822-4b7f-a905-c1540681052c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"913c61ef-8822-4b7f-a905-c1540681052c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"913c61ef-8822-4b7f-a905-c1540681052c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":500376305},"http":{"id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1DUei6OjpSA1xHp15_6QmrMT5aiPRM8bVAuey1N9snjQvTsTbqlNXfKeiOXB0"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1DUei6OjpSA1xHp15_6QmrMT5aiPRM8bVAuey1N9snjQvTsTbqlNXfKeiOXB0\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1DUei6OjpSA1xHp15_6QmrMT5aiPRM8bVAuey1N9snjQvTsTbqlNXfKeiOXB0","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"d2fb02e3-666b-4a7a-b662-f69756ba9248"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":500376305,"seconds":1781198014},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.55:51366","port":51366}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9176af54-8e4b-45d3-9192-aaf592c4a6a7","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d2fb02e3-666b-4a7a-b662-f69756ba9248","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38614","PortSpecifier":{"PortValue":38614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38614","PortSpecifier":{"PortValue":38614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":595777881},"http":{"id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d18cea78-3b74-e3ae-55b9-cd2e56c0adbb","preferred_username":"alice_lead","scope":"profile email","sid":"LM4Rt6hl5tkVbUP1UnSbmNT7","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d18cea78-3b74-e3ae-55b9-cd2e56c0adbb","preferred_username":"alice_lead","scope":"profile email","sid":"LM4Rt6hl5tkVbUP1UnSbmNT7","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9292825b-7f7e-4682-a44e-9c4df24b41d1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38626","PortSpecifier":{"PortValue":38626}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38626","PortSpecifier":{"PortValue":38626}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":626833383},"http":{"id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dcdfee3-d735-4a32-abd4-ca188b13a4fa","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38634","PortSpecifier":{"PortValue":38634}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"150f1b86-22e7-40e5-a1a2-1d478d308432","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38634","PortSpecifier":{"PortValue":38634}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":655334823},"http":{"id":"150f1b86-22e7-40e5-a1a2-1d478d308432","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"150f1b86-22e7-40e5-a1a2-1d478d308432","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6648111-37a9-4af0-8522-75511259a824","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b6648111-37a9-4af0-8522-75511259a824","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6648111-37a9-4af0-8522-75511259a824","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":663631320},"http":{"id":"b6648111-37a9-4af0-8522-75511259a824","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b6648111-37a9-4af0-8522-75511259a824","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b6648111-37a9-4af0-8522-75511259a824","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b6648111-37a9-4af0-8522-75511259a824","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-gHOqlFbFJ78w1Zpl_4qdDVpjRPAc4XwNQHu4IOQw84QU0RbKRcCcNNGyHiaD","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"b6648111-37a9-4af0-8522-75511259a824"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"b6648111-37a9-4af0-8522-75511259a824","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":663631320,"seconds":1781198014},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.55:51366","port":51366}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6648111-37a9-4af0-8522-75511259a824","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"d6e6f12d-2e8b-4b89-ad97-f4e7490b8cc3","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6648111-37a9-4af0-8522-75511259a824","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6648111-37a9-4af0-8522-75511259a824","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38646","PortSpecifier":{"PortValue":38646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38646","PortSpecifier":{"PortValue":38646}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":765521266},"http":{"id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5e5d712d-166b-3db7-fab3-ec85972f227c","preferred_username":"alice_lead","scope":"profile email","sid":"3OZzZXI2WZ28I4Yg9vwqRcYU","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5e5d712d-166b-3db7-fab3-ec85972f227c","preferred_username":"alice_lead","scope":"profile email","sid":"3OZzZXI2WZ28I4Yg9vwqRcYU","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ea14ee1d-542b-417b-abf7-2078fa792a7a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38652","PortSpecifier":{"PortValue":38652}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8c384ee8-44b7-4d57-81fe-f5211881969c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38652","PortSpecifier":{"PortValue":38652}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":793696793},"http":{"id":"8c384ee8-44b7-4d57-81fe-f5211881969c","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8c384ee8-44b7-4d57-81fe-f5211881969c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0e4bd047-6efd-4685-9082-1c40b316edb0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":801374614},"http":{"id":"0e4bd047-6efd-4685-9082-1c40b316edb0","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"0e4bd047-6efd-4685-9082-1c40b316edb0"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"0e4bd047-6efd-4685-9082-1c40b316edb0","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":801374614,"seconds":1781198014},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.55:51366","port":51366}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"fa2ee852-8187-47ab-a7a2-8dab2aefc069","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0e4bd047-6efd-4685-9082-1c40b316edb0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38656","PortSpecifier":{"PortValue":38656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38656","PortSpecifier":{"PortValue":38656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":832650850},"http":{"id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","method":"GET","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc7d8a83-043b-4a47-9695-9fff0e76bba5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.55:51366","PortSpecifier":{"PortValue":51366}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":840754493},"http":{"id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-jZnTQUnKWUrNJ0Tj_uVEoAArz9quPN0M9in0bk38bKUSIkAUihnxKvPMEGK7","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.55","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtZmQ3aHAKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.45~maas-default-gateway-openshift-default-687ff6996-fd7hp.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.55","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"ce72caa2-04cb-424e-a89b-6eb8420f072f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":840754493,"seconds":1781198014},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.55:51366","port":51366}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"fa2ee852-8187-47ab-a7a2-8dab2aefc069","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce72caa2-04cb-424e-a89b-6eb8420f072f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38662","PortSpecifier":{"PortValue":38662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.10:38662","PortSpecifier":{"PortValue":38662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.45:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781198014,"nanos":938001112},"http":{"id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","method":"POST","headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2979e129-e6a9-def0-7b11-9773001193c8","preferred_username":"alice_lead","scope":"profile email","sid":"5UKk7_yroANSgxKwmbQNRfwt","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781198314,"groups":["Engineering","Project-Alpha"],"iat":1781198014,"iss":"https://keycloak.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2979e129-e6a9-def0-7b11-9773001193c8","preferred_username":"alice_lead","scope":"profile email","sid":"5UKk7_yroANSgxKwmbQNRfwt","sub":"d3b1d757-91da-47b0-af8c-59f134e0ba2c","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.45:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.70db45dc-32bd-4399-9dbe-1fe353b84610.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:13:34Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d14eb637-9032-4bdc-b404-8a5b41d5d268","authorized":true,"response":"OK"}